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ABSTRACT 


The  National  Institute  of  Standards  and  Technology  (NIST)  Modes  of  Operation  Validation 
System  (MOVS)  specifies  the  procedures  involved  in  validating  implementations  of  the  DES 
algorithm  in  FIPS  PUB  46-2  The  Data  Encryption  Standard  (DES)  and  the  Skipjack  algorithm  in 
FIPS  PUB  185,  Escrowed  Encryption  Standard  (ESS).  The  MOVS  is  designed  to  perform 
automated  testing  on  Implementations  Under  Test  (lUTs).  This  publication  provides  brief 
overviews  of  the  DES  and  Skipjack  algorithms  and  introduces  the  basic  design  and  configuration 
of  the  MOVS.  Included  in  this  overview  are  the  specifications  for  the  two  categories  of  tests 
which  make  up  the  MOVS,  i.e.,  the  Known  Answer  tests  and  the  Modes  tests.  The  requirements 
and  administrative  procedures  to  be  followed  by  those  seeking  formal  NIST  validation  of  an 
implementation  of  the  DES  or  Skipjack  algorithm  are  presented.  The  requirements  described 
include  the  specific  protocols  for  communication  between  the  lUT  and  the  MOVS,  the  types  of 
tests  which  the  lUT  must  pass  for  formal  NIST  validation,  and  general  instructions  for  accessing 
and  interfacing  with  the  MOVS.  An  appendix  with  tables  of  values  and  results  for  the  DES  and 
Skipjack  Known  Answer  tests  is  also  provided. 

Key  words:  automated  testing,  computer  security,  cryptographic  algorithms,  cryptography,  Data 
Encryption  Standard  (DES),  Federal  Information  Processing  Standard  (FIPS),  NVLAP,  Skipjack 
algorithm,  secret  key  cryptography,  validation. 

1.  INTRODUCTION 


1.1  Background 

This  publication  specifies  the  various  tests  required  to  validate  implementations  under  test  (lUTs) 
for  conformance  to  the  DES  and  Skipjack  algorithms.  When  applied  to  lUTs  of  the  DES 
algorithm,  the  Modes  of  Operation  Validation  System  (MOVS)  provides  conformance  testing  for 
the  various  components  of  the  algorithm,  as  well  as  testing  for  apparent  operational  errors.  The 
MOVS  is  also  used  to  test  for  apparent  operational  errors  in  lUTs  of  the  Skipjack  algorithm. 

The  MOVS  is  composed  of  two  types  of  validation  tests,  the  Known  Answer  tests  and  the  Modes 
tests.  Both  of  these  are  based  on  validation  tests  described  in  SP500-20,  Validating  the 
Correctness  of  Hardware  Implementations  of  the  NBS  Data  Encryption  Standard.  As  SP500- 
20's  title  implies,  the  validation  tests  were  written  to  validate  hardware  implementations  of  the 
DES  algorithm.  SP800- 1 7  expands  on  this  by  specifying  how  to  validate  implementations  of  the 
DES  algorithm  in  software,  firmware,  hardware,  or  any  combination  thereof  The  document  also 
addresses  implementations  of  the  Skipjack  algorithm,  which  must  be  implemented  in  electronic 
devices  (e.g.,  very  large  scale  integration  chips).  The  Known  Answer  tests  and  Modes  tests  are 
based  on  the  standard  DES  test  set  and  the  Monte-Carlo  tests  respectively,  as  specified  in  SP500- 
20. 
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To  perform  the  Known  Answer  tests,  the  MOVS  supplies  known  values  to  the  lUT.  The  lUT 
then  processes  the  input  through  the  implemented  algorithm,  and  the  results  are  compared  to 
expected  values.  When  applied  to  lUTs  of  the  DES  algorithm,  the  Known  Answer  tests  verify 
that  the  lUT  correctly  implements  the  components  of  the  algorithm  (e.g.,  S  boxes, ...).  When 
applied  to  lUTs  of  the  Skipjack  algorithm,  these  same  tests  verify  that  the  implemented  algorithm 
produces  the  correct  results,  i.e.,  given  known  input,  the  correct  results  are  produced. 

Since  the  test  set  used  for  the  Known  Answer  tests  is  public  knowledge,  another  type  of 
validation  test  has  been  designed  to  use  pseudo-random  data.  This  test  is  the  Modes  test.  The 
Modes  test  verifies  that  the  lUT  has  not  been  designed  just  to  pass  the  Known  Answer  tests.  A 
successful  series  of  Modes  tests  gives  some  assurance  that  an  anomalous  combination  of  inputs 
does  not  exist  that  would  cause  the  test  to  end  abnormally  for  reasons  not  directly  related  to  the 
implementation  of  the  algorithm.  An  additional  purpose  of  the  Modes  test  is  to  verify  that  no 
undesirable  condition  within  the  lUT  will  cause  the  key  or  plaintext  to  be  exposed  due  to  an 
implementation  or  operational  error.  The  Modes  test  is  not  a  reliability  test,  but  merely  checks 
for  the  presence  of  an  apparent  operational  error. 

1.2  Organization 

Section  2  gives  a  brief  overview  of  the  DES  and  Skipjack  algorithms  and  the  four  modes  of 
operation  allowed  by  both  of  these  algorithms.  Section  3  provides  an  overview  of  the  tests  which 
make  up  the  Modes  of  Operation  Validation  System  (MOVS)  for  the  DES  and  Skipjack 
algorithms.  Section  4  describes  the  basic  protocol  used  by  the  MOVS.  Section  5  provides  a 
detailed  explanation  of  each  test  required  by  the  MOVS  to  validate  an  lUT  of  the  DES  and 
Skipjack  algorithms.  Section  6  outlines  the  design  of  the  MOVS.    Appendix  A  provides  an 
example  of  round  outputs  for  the  DES,  and  Appendix  B  provides  tables  of  values  for  the  Known 
Answer  tests  for  both  the  DES  and  Skipjack  algorithms.  These  tables  include  Table  1  -  Resulting 
Ciphertext  from  the  Variable  Plaintext  Known  Answer  Test  for  DES,  Table  2  -  Resulting 
Ciphertext  from  the  Variable  Key  Known  Answer  Test  for  DES,  Table  3  -  Values  to  be  Used  for 
the  Permutation  Operation  Known  Answer  Test,  Table  4  -  Values  to  be  Used  for  the  Substitution 
Tables  Known  Answer  Test,  Table  5  -  Resuking  Ciphertext  from  the  Variable  Plaintext  Known 
Answer  Test  for  Skipjack,  and  Table  6  -  Resulting  Ciphertext  from  the  Variable  Key  Known 
Answer  Test  for  Skipjack. 
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2.  PRIVATE  KEY  ALGORITHMS 


2.1  Data  Encryption  Standard  (DES)  (FIPS  PUB  46-2) 

FIPS  PUB  46-2,  The  Data  Encryption  Standard  (DES),  published  on  December  30,  1993,  is  a 
cryptographic  algorithm  which  has  been  standardized  for  use  within  the  Federal  Government  for 
protecting  the  transmission  and  storage  of  unclassified  computer  data.  DES  is  a  FIPS  approved 
cryptographic  algorithm  as  required  by  FIPS  140-1,  Security  Requirements  for  Cryptographic 
Modules,  January  11,  1994. 

The  DES  algorithm  is  a  recirculating,  64-bit,  block  product  cipher  whose  security  is  based  on  a 
secret  key.  The  DES  keys  are  64-bit  binary  vectors  consisting  of  56  information  bits  and  8  parity 
bits.  The  parity  bits  are  reserved  for  error  detection  purposes  and  are  not  used  by  the  encryption 
algorithm.  The  56  information  bits  are  used  by  the  enciphering  and  deciphering  operations  and 
are  referred  to  as  the  active  key. 

In  the  enciphering  computation,  a  block  to  be  enciphered  is  subjected  to  an  initial  permutation 
(IP),  then  to  a  complex  key-dependent  computation  and  finally  to  a  permutation  which  is  the 
inverse  of  the  initial  permutation  (IP"').  The  key-dependent  computation  can  be  defined  in  terms 
of  a  function  f,  called  the  cipher  function,  and  a  function  KS,  called  the  key  schedule.  The 
function  f  involves  E  operators,  substitution  tables  (S-boxes),  and  permutations  (P).  The  64  bit 
input  block  is  divided  into  two  halves,  each  consisting  of  32  bits.  One  half  is  used  as  input  to  the 
function/  and  the  result  is  exclusive  ORed  to  the  other  half.  After  one  iteration,  or  round,  the 
two  halves  of  data  are  swapped,  and  the  operation  is  performed  again.  The  DES  algorithm  uses 
16  rounds  to  produce  a  recirculating  block  product  cipher.  The  cipher  produced  by  the  algorithm 
displays  no  correlation  to  the  input.  Every  bit  of  the  output  depends  on  every  bit  of  the  input  and 
on  every  bit  of  the  active  key.  An  example  of  round-by-round  encryption  for  a  given  key  and 
plaintext  is  shown  in  Appendix  A. 

For  a  thorough  discussion  of  the  DES  algorithm  and  its  components,  consult  FIPS  PUB  46-2. 
Guidelines  on  the  proper  usage  of  the  DES  are  published  in  FIPS  PUB  74,  Guidelines  for 
Implementing  and  Using  the  NBS  Data  Encryption  Standard.  A  brief  description  of  the 
components  of  the  DES  algorithm  follows. 
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2.1.1  TheS-boxes 


The  non-linear  substitution  tables,  or  S-boxes,  constitute  an  important  part  of  the  algorithm.  The 
purpose  of  the  S-boxes  is  to  ensure  that  the  algorithm  is  not  linear.  There  are  eight  different  S- 
boxes.  Figure  2.1  displays  one  of  these.  Each  S-box  contains  64  entries,  organized  as  a  4x16 
matrix.  Each  entry  is  a  four  bit  binary  number,  represented  as  0-15.  A  particular  entry  in  a  single 
S-box  is  selected  by  six  bits,  two  of  which  select  a  row  and  four  select  a  column.  The  entry  in 
the  corresponding  row  and  column  is  the  output  for  that  input.  Each  row  in  each  S-box  is  a 
permutation  of  the  numbers  0-15,  so  no  entry  is  repeated  in  any  one  row.  The  output  of  the 
parallel  connection  of  eight  S-boxes  is  32  bits. 
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Figure  2.1  One  of  the  Eight  S-Boxes  in  the  DES 


2.1.2  The  Key  Schedule 

The  key  schedule  provides  a  linear  means  of  thoroughly  intermixing  the  bits  of  the  56-bit  key 
specified  for  use  in  the  DES  operation  to  form  a  different  48-bit  key  for  each  of  the  16  rounds  of 
the  DES  algorithm.  This  is  done  in  the  following  manner:  The  key  is  subjected  to  a  permuted 
choice  1  (PCI)  where  the  bits  of  the  key  are  reorganized.  The  permuted  key  is  then  divided  into 
two  parts  denoted  Cj  and  Dj.  These  parts  are  shifted  left  a  predetermined  number  of  times 
producing  Ci+,  and  Dj+,.  The  resulting  values  are  subjected  to  a  permuted  choice  2  (PC2)  which 
reorganizes  the  bits  again,  producing  the  round  key  Ki+,.  To  compute  the  next  round  key  Kj+j, 
Cj+i  and  Dj+i  are  shifted  left  a  predetermined  number  of  times.  The  resulting  value  is  then 
subjected  to  PC2.  This  procedure  is  repeated  to  calculate  the  16  round  keys. 

Both  the  permutations  in  the  key-schedule,  PCI  and  PC2,  intermix  the  key  bits  among  the  round 
keys  in  such  a  way  as  to  equalize  key-bit  utilization.  It  does  this  by  forcing  each  key  bit  to  be 
used  no  more  than  15  times  and  no  less  than  12  times. 

Figure  2.2  shows  how  the  key  schedule  determines  the  sixteen  48-bit  round  keys  fi*om  the  56-bit 
encryption  key. 
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Figure  2.2  The  Key  Schedule  for  the  DES 


2.1.3  The  Permutations  and  E  Operator 

The  role  of  the  permutation  P  is  to  thoroughly  mix  the  data  bits  so  they  cannot  be  traced  back 
through  the  S-boxes.  The  initial  and  final  permutations  are  byte  oriented,  and  the  data  is  output 
eight  bits  at  a  time.  The  operator  E  expands  a  32  bit  input  to  a  48  bit  output  that  is  added  mod 
two  to  the  round  key.  The  permutations  in  the  key-schedule,  PCI  and  PC2,  intermix  the  bits  that 
result  from  the  S-box  substitution  in  a  complex  way  to  prevent  bit  tracing. 

Each  permutation  is  a  linear  operator,  and  so  can  be  thought  of  as  an  n  x  w  matrix  and  can  be 
validated  completely  if  it  operates  correctly  on  an  appropriate  maximal  linearly  independent  set 
of  input  vectors,  i.e.,  a  suitable  basis. 


2.2  Skipjack  Encryption  Algorithm 

The  Skipjack  algorithm  is  a  classified  symmetric-key  cryptographic  algorithm  designed  by  the 
National  Security  Agency  (NSA).  The  specifications  for  the  Skipjack  algorithm  are  contained  in 
the  R21  Informal  Technical  Report  entitled  "SKIPJACK"  (S),  R21-TECH-044-91,  May  21, 
1991.  Organizations  holding  an  appropriate  security  clearance  and  entering  into  a  Memorandum 
of  Agreement  with  the  National  Security  Agency  regarding  implementations  of  the  standard  will 
be  provided  access  to  the  classified  specifications. 

As  discussed  in  PIPS  PUB  185,  Escrowed  Encryption  Standard  (ESS),  the  Skipjack  algorithm 
has  been  approved  for  government  applications  requiring  the  encryption  of  sensitive  but 
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unclassified  data  telecommunications.  The  Skipjack  algorithm  is  a  64-bit  code  book 
transformation  that  utilizes  the  same  four  DES  modes  of  operation  as  specified  in  FIPS  PUB  81, 
DES  Modes  of  Operation  and  FIPS  PUB  74,  Guidelines  for  Implementing  and  Using  the  NBS 
Data  Encryption  Standard.  Skipjack  uses  an  80-bit  encryption/decryption  key  (compared  with  a 
56-bit  key  used  by  DES)  and  has  32  rounds  of  processing  per  single  encrypt/decrypt  operation 
(compared  with  16  rounds  for  the  DES).  Skipjack  outputs  64  bits  of  output  per  round. 

The  Skipjack  algorithm  may  only  be  implemented  in  electronic  devices  (e.g.,  very  large  scale 
integration  chips).  The  devices  may  be  incorporated  in  security  equipment  used  to  encrypt  (and 
decrypt)  sensitive  unclassified  telecommunications  data. 

2.3  The  Four  Modes  of  Operation 

The  DES  and  Skipjack  algorithms  both  utilize  the  same  four  modes  of  operation  specified  in 
FIPS  PUB  81,  DES  Modes  of  Operation.  These  modes  are  the  Electronic  Codebook  (ECB) 
Mode,  the  Cipher  Block  Chaining  (CBC)  Mode,  the  Cipher  Feedback  (CFB)  Mode,  and  the 
Output  Feedback  (OFB)  Mode. 
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2.3.1  Electronic  Codebook  (ECB)  Mode 
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Figure  2.3  Electronic  Codebook  (ECB)  Mode 


The  Electronic  Codebook  (ECB)  mode  is  shown  in  Figure  2.3.  In  ECB  encryption,  a  plaintext 
data  block  (D,,  Dj, 0^4)  is  used  directly  as  the  input  block  (I,,  I2, I64).  The  input  block  is 
processed  through  the  DES  or  Skipjack  algorithm  in  the  encrypt  state.  The  resultant  output  block 
(O,,  02,.",064)  is  used  directly  as  ciphertext  (C,,  Cj,.-,  C^)- 

In  ECB  decryption,  a  ciphertext  block  (C,,  Cj, C^)  is  used  directly  as  the  input  block  (I,, 
I2v,l64)-  The  input  block  is  then  processed  through  the  DES  or  Skipjack  algorithm  in  the  decrypt 
state.  The  resultant  output  block  (Oi,  02,...,064)  produces  the  plaintext  (D,,D2,...,D64).  The  ECB 
decryption  process  is  the  same  as  the  ECB  encryption  process  except  that  the  decrypt  state  of  the 
DES  or  Skipjack  algorithm  is  used  rather  than  the  encrypt  state. 
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2.3.2  Cipher  Block  Chaining  (CBC)  Mode 
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Figure  2.4  Cipher  Block  Chaining  (CBC)  Mode 


As  shown  in  the  upper  half  of  Figure  2.4,  the  Cipher  Block  Chaining  (CBC)  mode  begins 
processing  by  dividing  a  plaintext  message  into  64  bit  data  blocks.  In  CBC  encryption,  the  first 
input  block  (I,,  I2,...,l54)  is  formed  by  exclusive-ORing  the  first  plaintext  data  block  (Dj,  Dj, 
D^)  with  a  64-bit  initialization  vector  IV,  i.e.,  (Ii,l2,...,l64)  =  (IVi®Di,  IV2®D2, ...  TV(^®D(J.  The 
input  block  is  processed  through  the  DES  or  Skipjack  algorithm  in  the  encrypt  state,  and  the 
resulting  output  block  is  used  as  the  ciphertext,  i.e.,  (C,,C2,...,C64)  =  (O ,,02,..., 0^4).  This  first 
ciphertext  block  is  then  exclusive-ORed  with  the  second  plaintext  data  block  to  produce  the 
second  input  block,  i.e.,  (I,,l2,...,l64)  =  (C,®D,,C2®D2,...,C64®D64).  Note  that  I  and  D  now  refer  to 
the  second  block.  The  second  input  block  is  processed  through  the  DES  or  Skipjack  algorithm  in 
the  encrypt  state  to  produce  the  second  ciphertext  block.  This  encryption  process  continues  to 
"chain"  successive  cipher  and  plaintext  blocks  together  until  the  last  plaintext  block  in  the 
message  is  encrypted.  If  the  message  does  not  consist  of  an  integral  number  of  data  blocks,  then 
the  final  partial  data  block  should  be  encr>'pted  in  a  manner  specified  for  the  application.  One 
such  method  is  described  in  Appendix  C  of  FIPS  PUB  81. 
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message  is  used  as  the  input  block  and  is  processed  through  the  DES  or  Skipjack  algorithm  in  the 
decrypt  state,  i.e.,  (I,,l2,...,l64)  =  (C,,C2,...,C64).  The  resulting  output  block,  which  equals  the 
original  input  block  to  the  algorithm  during  encryption,  is  exclusive-ORed  with  the  IV  (which 
must  be  the  same  as  that  used  during  encryption)  to  produce  the  first  plaintext  block,  i.e., 
(Di,D2,...,D64)  =  (OieIVi,02©IV2,...,064eIV64).  The  second  ciphertext  block  is  then  used  as  the 
next  input  block  and  is  processed  through  the  DES  or  Skipjack  algorithm  in  the  decrypt  state. 
The  resulting  output  block  is  exclusive-ORed  with  the  first  ciphertext  block  to  produce  the 
second  plaintext  data  block,  i.e.,  (Di,D2,...,D64)  =  (0,©Ci,  02®C2,...,064©C64).  (Note  D  and  O 
refer  to  the  second  block.)  The  CBC  decryption  process  continues  in  this  manner  until  the  last 
complete  ciphertext  block  has  been  decrypted.  Ciphertext  representing  a  partial  data  block  must 
be  decrypted  in  a  manner  as  specified  for  the  application. 
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2.3.3  Cipher  Feedback  (CFB)  Mode 
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Figure  2.5  Cipher  Feedback  (CFB)  Mode 


The  Cipher  Feedback  (CFB)  mode  is  shown  in  Figure  2.5.  A  message  to  be  encrypted  is  divided 
into  K-bit  data  units,  v^here  K  may  equal  1  through  64  inclusively  (K  =  1,2,. ..,64).  In  both  the 
CFB  encrypt  and  decrypt  operations,  an  initialization  vector  (IV)  of  length  L  is  used,  where  L 
may  equal  1  through  64  inclusively  (L=l,2,...,64).  The  IV  is  placed  in  the  least  significant  bits  of 
the  input  block  with  the  unused  bits  set  to  "0",  i.e.,  (I,,l2,...,l64)  =  (0,0,...,0,IV,,IV2,...,IVl).  This 
input  block  is  processed  through  the  DES  or  Skipjack  algorithm  in  the  encrypt  state  to  produce 
an  output  block.  During  encryption,  ciphertext  is  produced  by  exclusive-ORing  a  K-bit  plaintext 
data  unit  with  the  most  significant  K  bits  of  the  output  block,  i.e.,(C|,C2,...,CK)  =  (D,©0|,  D2®02, 
... ,  Dk^®Ok).  Similarly,  during  decryption,  plaintext  is  produced  by  exclusive-ORing  a  K-bit  unit 
of  ciphertext  with  the  most  significant  K  bits  of  the  output  block,  i.e.,  (D,,D2,...,Dk^)  = 
(C,eO,,C2®02,...,C^©OK).  In  both  cases  the  unused  bits  of  the  output  block  are  discarded.  For 
both  the  encryption  and  decryption  processes,  the  next  input  block  is  created  by  discarding  the 
most  significant  K  bits  of  the  previous  input  block,  shifting  the  remaining  bits  K  positions  to  the 
left  and  then  inserting  the  K  bits  of  ciphertext  just  produced  in  the  encryption  operation  or  just 
used  in  the  decryption  operadon  into  the  least  significant  bit  posidons,  i.e.,  (I,,l2,...,l64)  =  (I[k+i]5 
I[K+2]» ... ,  l64,C,,C2,  ...C|^).  This  input  block  is  then  processed  through  the  DES  or  Skipjack 
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algorithm  in  the  encrypt  state  to  produce  the  next  output  block.  This  process  continues  until  the 
entire  plaintext  message  has  been  encrypted  or  until  the  entire  ciphertext  message  has  been 
decrypted.  For  each  operation  of  the  DES  or  Skipjack  algorithm,  one  K-bit  unit  of  plaintext 
produces  one  K-bit  unit  of  ciphertext,  and  one  K-bit  unit  of  ciphertext  produces  one  K-bit  unit  of 
plaintext. 
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2.3.4  Output  Feedback  (OFB)  Mode 
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Figure  2.6  Output  Feedback  (OFB)  Mode 


The  Output  Feedback  (OFB)  mode  is  shown  in  Figure  2.6,  A  message  to  be  encrypted  is  divided 
into  K-bit  data  units,  where  K  may  equal  1  through  64  inclusively,  (K  =  1,2,. ..,64).  In  both  the 
OFB  encrypt  and  decrypt  operations,  an  initialization  vector  (IV)  of  length  L  is  used,  where  L 
may  equal  1  through  64  inclusively,  (L=l,2,...,64).  The  IV  is  placed  in  the  least  significant  bits 
of  the  input  block  with  the  unused  bits  set  to  "0",  i.e.,  (I„l2,...,l64)  =  (0,0,...,0,IV„IV2,...,IVl).  This 
input  block  is  processed  through  the  DBS  or  Skipjack  algorithm  in  the  encrypt  state  to  produce 
an  output  block.  During  encryption,  ciphertext  is  produced  by  exclusive-ORing  a  K-bit  plaintext 
data  unit  with  the  most  significant  K  bits  of  the  output  block,  i.e.,  (C,,C2,...,Ck3  =  (D,eO,,  D2®02, 
...,Dk^®Ok).  Similarly,  during  decryption,  plaintext  is  produced  by  exclusive-ORing  a  K-bit  unit 
of  ciphertext  with  the  most  significant  K  bits  of  the  output  block,  i.e.,  (D,,D2,...,Dk3  = 
(C,eO,,C2®02,...,CK®OK).  In  both  cases  the  next  input  block  is  assigned  the  value  of  the  output 
block,  i.e.,  (I,,l2,...,l64)  =  (0,,02,  ...,064).  This  input  block  is  then  processed  through  the  DES  or 
Skipjack  algorithm  in  the  encrypt  state  to  produce  the  next  output  block.  This  process  continues 
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until  the  entire  plaintext  message  has  been  encrypted  or  until  the  entire  ciphertext  message  has 
been  decrypted.  For  each  operation  of  the  DES  or  Skipjack  algorithm,  one  K-bit  unit  of  plaintext 
produces  one  K-bit  unit  of  ciphertext  or  one  K-bit  unit  of  ciphertext  produces  one  K-bit  unit  of 
plaintext. 

Note  that,  originally,  FIPS  81  allowed  less  than  64  bits  of  feedback  to  be  used.  It  was  discovered 
that  when  this  is  done,  there  is  a  risk  of  generating  short  cycles.  That  is,  when  the  same  key  is 
used,  and  multiple  encryptions  or  decryptions  have  occurred,  then  the  resulting  output  block  may 
be  equal  to  an  input  block  from  a  previous  iteration.  If  that  occurs,  then  further  encryption  or 
decryption  using  the  same  key  will  result  in  a  repetition  of  previously  generated  output  and  input 
blocks.  This  increases  the  risk  of  a  cryptanalyst  recovering  the  original  plaintext.  Because  of 
this  short  cycle  property,  NIST  does  not  support  the  use  of  the  OFB  mode  for  any  amount  of 
feedback  less  than  64  bits.  Note  that  this  short  cycle  property  is  not  a  problem  with  the  DES 
algorithm,  and  would  occur  using  any  block  cipher  in  a  similar  manner. 
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3.  MODES  OF  OPERATION  VALIDATION  SYSTEM  FOR  THE  DES  AND  SKIPJACK 

ALGORITHMS 


The  MOVS  for  the  DES  and  Skipjack  algorithms  consists  of  two  types  of  tests,  the  Known 
Answer  tests  and  the  Modes  tests.  The  MOVS  provides  conformance  testing  for  the  individual 
components  of  an  lUT  of  the  DES  algorithm  and  analyzes  lUTs  of  the  DES  and  Skipjack 
algorithms  for  apparent  operational  errors.  Note  that  the  individual  components  of  an  lUT  of  the 
Skipjack  algorithm  are  not  tested  by  the  MOVS  since  Skipjack  is  classified. 

The  lUTs  of  the  DES  algorithm  may  be  written  in  software,  firmware,  hardware,  or  any 
combination  thereof  The  lUTs  of  the  Skipjack  algorithm  must  be  implemented  in  electronic 
devices  (e.g.,  very  large  scale  integration  chips).  For  the  remainder  of  this  document ,  the  word 
implementation  will  reflect  the  definition  pertaining  to  the  algorithm  being  discussed. 

An  lUT  must  allow  the  MOVS  to  have  control  over  the  required  input  parameters  for  validation 
to  be  feasible.  The  ability  to  initialize  or  load  known  values  to  the  variables  required  by  a 
specific  test  may  exist  at  the  device  level  or  the  chip  level  in  an  lUT.  If  an  lUT  does  not  allow 
the  MOVS  to  have  control  over  the  input  parameter  values,  the  MOVS  tests  cannot  be 
performed. 

An  lUT  may  implement  encryption  only,  decryption  only,  or  both  encryption  and  decryption. 
This  will  determine  which  MOVS  tests  will  be  performed  by  an  lUT. 

The  following  subsections  provide  an  overview  of  the  Known  Answer  tests  and  the  Modes  tests. 
Also  discussed  are  the  various  tests  required  to  validate  lUTs  of  the  DES  and  Skipjack 
algorithms. 

3.1  The  Known  Answer  Tests 

The  Known  Answer  tests  are  based  on  the  standard  DES  test  set  discussed  in  SP500-20.  When 
applied  to  lUTs  of  the  DES  algorithm,  the  Known  Answer  tests  verify  that  the  lUT  correctly 
performs  the  algorithm.  The  tests  also  provide  conformance  testing  for  the  following 
components  of  an  lUT  of  the  DES  algorithm:  the  initial  permutation  IP,  the  inverse  permutation 
IP"',  the  expansion  matrix  E,  the  data  permutation  P,  the  key  permutations  PCI  and  PC2,  and  the 
substitution  tables  S,,  S2,...,Sg.  When  applied  to  lUTs  of  the  Skipjack  algorithm,  these  same 
tests  verify  that  the  implemented  algorithm  produces  the  correct  results,  i.e.,  given  known  input, 
the  correct  results  are  produced. 

A  generic  overview  of  the  sets  of  Known  Answer  tests  required  for  the  validation  of  lUTs 
implementing  the  encryption  and/or  decryption  processes  of  all  modes  of  operation  for  both  the 
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DES  and  Skipjack  algorithms  are  discussed  below. 
3.1.1    The  Encryption  Process 

An  JUT  of  the  DES  algorithm  which  allows  encryption  requires  the  successful  completion  of  five 
Known  Answer  tests.  These  are  the  Variable  Plaintext  Known  Answer  test,  the  Inverse 
Permutation  Known  Answer  test  for  the  Encryption  Process,  the  Variable  Key  Known  Answer 
test  for  the  Encryption  Process,  the  Permutation  Operation  Known  Answer  test  for  the 
Encryption  Process,  and  the  Substitution  Table  Known  Answer  test  for  the  Encryption  Process. 
The  Permutation  Operation  and  the  Substitution  Table  Known  Answer  tests  do  not  apply  to  the 
Skipjack  algorithm.  Therefore,  an  JUT  of  the  Skipjack  algorithm  which  allows  encryption 
requires  only  the  successful  completion  of  the  Variable  Plaintext  Known  Answer  test,  the  Inverse 
Permutation  Known  Answer  test  for  the  Encryption  Process,  and  the  Variable  Key  Kjiown 
Answer  test  for  the  Encryption  Process. 

These  Known  Answer  tests  are  also  used  in  the  testing  of  lUTs  implementing  the  CFB  and  OFB 
modes  of  operation  in  the  decryption  process.  The  reason  for  this  is  that  both  of  these  modes 
utilize  the  encrypt  state  in  the  decryption  process. 

3.1.1.1  The  Variable  Plaintext  Known  Answer  Test 

To  perform  the  Variable  Plaintext  Known  Answer  test,  the  MOVS  supplies  the  lUT  with  initial 
values  for  the  plaintext  and,  if  applicable,  the  initialization  vector.  These  values  are  dependent 
upon  the  mode  of  operation  being  implemented.  The  key  should  be  initialized  to  zero.  Each 
block  of  data  input  into  the  DES  or  Skipjack  algorithm  is  represented  as  a  64-bit  basis  vector.  By 
definition,  a  basis  vector  is  a  vector  consisting  of  a  "  1 "  in  the  i""  position  and  "0"  in  all  of  the 
other  positions.  The  input  block  is  processed  through  the  algorithm  in  the  encrypt  state.  The 
resulting  output  block  is  used  in  the  calculation  of  the  ciphertext  which  is  then  recorded.  Each  of 
the  basis  vectors  is  tested.  At  the  completion  of  the  64""  test,  all  results  are  verified  for 
correctness. 

If  correct  results  are  obtained  from  an  lUT  of  the  DES  algorithm,  the  Variable  Plaintext  Known 
Answer  test  has  verified  the  initial  permutation  (IP)  and  the  expansion  matrix  E  by  presenting  a 
full  set  of  basis  vectors  to  the  IP  and  to  the  E.  If  the  results  from  each  test  of  an  lUT  of  the 
Skipjack  algorithm  match  the  expected  results,  the  Skipjack  algorithm  has  been  verified. 

3.1.1.2  The  Inverse  Permutation  Known  Answer  Test  for  the  Encrypt  State 

To  perform  the  Inverse  Permutation  Known  Answer  test,  the  MOVS  supplies  the  lUT  with  initial 
values  for  the  plaintext  and,  if  applicable,  the  initialization  vector.  The  plaintext  values  are  set  to 
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the  ciphertext  results  obtained  from  the  Variable  Plaintext  Known  Answer  test. 

The  key  being  used  by  this  test  is  called  a  self  dual  key.  A  self  dual  key  is  a  key  with  the 
property  that  when  you  encrypt  twice  with  this  key  the  result  is  the  initial  input.  Therefore,  it  is 
like  encrypting  and  decrypting  with  the  same  key.  The  key  should  be  initialized  to  zero,  the  same 
value  used  in  the  Variable  Plaintext  Known  Answer  test. 

The  input  block  is  processed  through  the  algorithm  in  the  encrypt  state.  The  resulting  output 
block  is  used  in  the  calculation  of  the  ciphertext  which  is  then  recorded.  The  ciphertext  should 
be  the  same  as  the  plaintext  used  as  input  to  the  Variable  Plaintext  Known  Answer  test.  At  the 
completion  of  the  64""  test,  all  results  are  verified  for  correctness. 

This  test,  when  applied  to  an  lUT  of  the  DES  algorithm,  verifies  the  inverse  permutation  (IP"')  by 
presenting  each  basis  vector  to  the  IP"'  as  the  basis  vectors  are  recovered.  If  the  results  from  each 
test  of  an  lUT  of  the  Skipjack  algorithm  match  the  expected  results,  the  Skipjack  algorithm  has 
been  verified. 


3.1.1.3  The  Variable  Key  Known  Answer  Test  for  the  Encryption  Process 

To  implement  the  Variable  Key  Known  Answer  test  for  the  Encryption  Process,  the  MOVS 
supplies  the  lUT  with  initial  values  for  the  key,  the  plaintext,  and,  if  applicable,  the  initialization 
vector.  During  the  initialization  process,  the  plaintext  and  the  initialization  vector  are  set  to  zero. 
The  key  is  initialized  to  an  «-bit  vector,  where  n  is  56  if  DES  is  being  implemented,  and  80  if 
Skipjack  is  being  implemented.  This  vector  will  contain  a  "1"  in  the  i""  significant  position  and 
"0"s  is  all  remaining  significant  positions  of  a  key  where  i  =  1  to  n.  (Note  that  the  parity  bits  are 
not  counted  in  the  significant  bits.  These  parity  bits  may  be  "  1  "s  or  "0"s  to  maintain  odd  parity.) 
An  input  block  is  then  formed  according  to  the  mode  of  the  algorithm  being  implemented,  and 
encrypted.  The  resulting  output  block  is  used  in  the  calculation  of  the  ciphertext  which  is 
recorded  for  later  comparison.  This  test  is  repeated  n  times,  allowing  for  every  possible  vector  to 
be  tested.  At  the  completion  of  the     test,  all  results  are  verified  for  correctness. 

When  this  test  is  performed  for  an  lUT  of  the  DES  algorithm,  the  56  possible  basis  vectors  which 
yield  unique  keys  are  presented  to  PC  1  verifying  the  key  permutation,  PC  1 .  Since  the  key 
schedule  consists  of  left  shifts,  as  i  ranges  over  the  index  set,  a  complete  set  of  basis  vectors  is 
presented  to  PC2  as  well,  so  this  is  verified.  If  the  results  from  each  test  of  an  lUT  of  the 
Skipjack  algorithm  match  the  expected  results,  the  Skipjack  algorithm  has  been  verified. 
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3.1.1.4  The  Permutation  Operation  Known  Answer  Test  for  the  Encryption  Process 

The  Permutation  Operation  Known  Answer  test  for  the  Encryption  Process  only  applies  to  lUTs 
of  the  DES  algorithm.  To  implement  this  test,  the  MOVS  supplies  the  lUT  with  initial  values  for 
the  key,  the  plaintext  and,  if  applicable,  the  initialization  vector,  with  the  plaintext  and 
initialization  vector  being  set  to  zero.  Based  on  the  mode  of  operation  of  DES  implemented,  an 
input  block  is  formed  and  encrypted.  The  resulting  output  block  is  used  in  the  calculation  of  the 
ciphertext  which  is  recorded  for  later  comparison.  This  test  is  repeated  32  times,  allowing  for  32 
given  values  to  be  tested.  At  the  completion  of  the  32"**  test,  all  results  are  verified  for 
correctness. 

This  test  presents  a  complete  set  of  basis  vectors  to  the  permutation  operator  P.  By  doing  so,  P  is 
verified. 


3.1.1.5  The  Substitution  Table  Known  Answer  Test  for  the  Encryption  Process 

The  Substitution  Table  Known  Answer  test  for  the  Encryption  Process  only  applies  to  lUTs  of 
the  DES  algorithm.  The  MOVS  supplies  the  lUT  with  initial  values  for  the  key,  the  plaintext 
and,  if  applicable,  the  initialization  vector  which  is  initialized  to  zero.  Based  on  the  mode  of 
operation  of  DES  implemented,  an  input  block  is  formed  and  encrypted.  The  resulting  output 
block  is  used  in  the  calculation  of  the  ciphertext  which  is  recorded  for  later  comparison.  This  test 
is  repeated  19  times  in  order  to  process  a  set  of  19  key-data  pairs.  At  the  completion  of  the  19* 
test,  all  results  are  verified  for  correctness. 

The  set  of  19  key-data  pairs  used  in  this  test  result  in  every  entry  of  all  eight  S-box  substitution 
tables  being  used  at  least  once.  Thus,  this  test  verifies  the  eight  substitution  tables  of  64  entries 
each. 
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3.1.2     The  Decryption  Process 

The  five  Known  Answer  tests  required  for  validation  of  lUTs  implementing  the  decryption 
process  of  the  DES  or  Skipjack  algorithms  consist  of  the  Variable  Ciphertext  Known  Answer 
test,  the  Initial  Permutation  Known  Answer  test  for  the  Decryption  Process,  the  Variable  Key 
Known  Answer  test  for  the  Decryption  Process,  the  Permutation  Operation  Known  Answer  test 
for  the  Decryption  Process  and  the  Substitution  Table  Known  Answer  test  for  the  Decryption 
Process.  These  tests  can  only  be  performed  by  lUTs  that  support  the  Electronic  Codebook  (ECB) 
and  the  Cipher  Block  Chaining  (CBC)  modes  of  operation  since  only  these  modes  of  operation 
utilize  the  decrypt  state  during  the  decryption  process.  The  CFB  and  OFB  modes  of  operation 
utilize  the  encrypt  state  in  the  decryption  process  and  therefore  should  be  tested  using  the  same 
Known  Answer  tests  used  for  lUTs  that  support  the  encryption  process.  Only  the  Variable 
Ciphertext  Known  Answer  test,  the  Initial  Permutation  Known  Answer  test  for  the  Decryption 
Process,  and  the  Variable  Key  Known  Answer  test  for  the  Decryption  Process  apply  to  the 
Skipjack  algorithm. 

3.1.2.1  The  Variable  Ciphertext  Known  Answer  Test 

To  perform  the  Variable  Ciphertext  Known  Answer  test,  the  values  of  the  ciphertext,  the  key, 
and,  if  applicable,  the  initialization  vector  are  initialized,  with  the  key  and  the  initialization 
vector  being  initialized  to  zero.  If  the  lUT  performs  both  encryption  and  decryption,  the  values 
resulting  from  the  encryption  performed  in  the  Variable  Plaintext  Known  Answer  test  will  be 
used  to  initialize  the  ciphertext.  Otherwise,  the  MOVS  will  supply  the  lUT  with  the  ciphertext 
values. 

The  value  of  the  ciphertext  is  used  directly  as  the  input  block  of  data.  The  input  block  is 
processed  through  the  algorithm  in  the  decrypt  state,  resulting  in  an  output  block.  The  output 
block  is  used  in  the  calculation  of  the  plaintext  which  is  then  recorded.  This  test  is  repeated  for 
64  cycles  and  should  result  in  a  set  of  64  different  basis  vectors.  For  lUTs  of  the  DES  algorithm, 
this  test  verifies  the  inverse  permutation  IP  '  by  presenting  the  basis  vectors  to  the  IP"'  as  they  are 
recovered. 

If  the  Skipjack  algorithm  is  implemented  and  the  lUT  produces  correct  results  (i.e.,  the  basis 
vectors  are  recovered),  this  test  ends  successfully. 

3.1.2.2  The  Initial  Permutation  Known  Answer  Test  for  the  Decryption  Process 

To  perform  the  Initial  Permutation  Known  Answer  test  for  the  Decryption  Process,  the  values  of 
the  ciphertext  are  set  to  the  resulting  plaintext  values  obtained  from  the  Variable  Ciphertext 
Known  Answer  test.  The  key,  and,  if  applicable,  the  initialization  vector  are  set  to  the  same 
values  used  in  the  Variable  Ciphertext  Known  Answer  test,  i.e.,  they  are  set  to  zero. 
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The  value  of  the  ciphertext  is  used  directly  as  the  input  block  of  data.  The  input  block  is 
processed  through  the  algorithm  in  the  decrypt  state,  resulting  in  an  output  block.  The  output 
block  is  used  in  the  calculation  of  the  plaintext  which  is  then  recorded.  This  test  is  repeated  for 
64  cycles  and  should  result  in  the  set  of  ciphertext  values  used  as  input  to  the  Variable  Ciphertext 
Known  Answer  test. 

For  lUTs  of  the  DES  algorithm,  the  initial  permutation  IP  and  the  expansion  matrix  E  are  verified 
by  presenting  the  full  set  of  basis  vectors  to  both  of  them. 

If  the  Skipjack  algorithm  is  implemented  and  the  lUT  produces  correct  results  (i.e.,  the  basis 
vectors  are  recovered),  this  test  ends  successfully. 

3.1.2.3  The  Variable  Key  Known  Answer  Test  for  the  Decryption  Process 

To  implement  the  Variable  Key  Known  Answer  test  for  the  Decryption  Process,  the  values  of  the 
ciphertext,  key,  and,  if  applicable,  the  initialization  vector  are  initialized.  The  ciphertext  is 
initialized  in  one  of  two  ways.  If  the  lUT  performs  both  encryption  and  decryption,  the  values 
resulting  from  the  encryption  performed  in  the  Variable  Key  Known  Answer  test  for  the 
Encryption  Process  will  be  used  to  initialize  the  ciphertext.  Otherwise,  the  lUT  will  obtain  the 
ciphertext  values  from  the  MO  VS.  The  IV  is  set  to  zero.  The  key  is  initialized  to  an  «-bit  vector, 
where  n  is  56  if  DES  is  being  implemented  and  80  if  Skipjack  is  being  implemented.  This  vector 
will  contain  a  "1"  in  the  i""  significant  position  and  "0"s  is  all  remaining  significant  positions  of  a 
key  where  i  =  1  to  «.  (Note  that  the  parity  bits  are  not  counted  in  the  significant  bits.  These 
parity  bits  may  be  "  1  "s  or  "0"s  to  maintain  odd  parity.) 

The  value  of  the  ciphertext  is  used  directly  as  the  input  block  of  data.  The  input  block  is 
processed  through  the  algorithm  in  the  decrypt  state.  According  to  the  mode  of  operation 
supported  by  the  lUT,  the  resulting  output  block  is  used  in  the  calculation  of  the  plaintext  which 
is  recorded  for  later  comparison.  This  test  is  repeated  n  times  allowing  for  every  possible  vector 
to  be  tested.  At  the  completion  of  the     test,  all  results  are  verified  against  known  values  for 
correctness.  If  the  results  are  correct  for  an  lUT  of  the  DES  algorithm,  it  can  be  assumed  that  this 
test  verifies  the  right  shifts  in  the  key  schedule  as  the  basis  vectors  are  recovered. 

If  the  results  from  each  test  of  an  lUT  of  the  Skipjack  algorithm  match  the  expected  results,  the 
Skipjack  algorithm  has  been  verified. 

3.1.2.4  The  Permutation  Operation  Known  Answer  Test  for  the  Decryption  Process 

The  Permutation  Operation  Known  Answer  test  for  the  Decryption  Process  only  applies  to  lUTs 
of  the  DES  algorithm.  To  implement  this  test,  values  for  the  key  and  ciphertext  are  supplied  in 
one  of  two  ways.  If  the  lUT  performs  both  encryption  and  decryption,  values  for  the  key  and 
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ciphertext  resulting  from  the  encryption  performed  in  the  Permutation  Operation  Known  Answer 
test  for  the  Encryption  Process  will  be  used.  Otherwise,  the  key  and  ciphertext  values  will  be 
supplied  by  the  MOVS.  If  applicable,  the  initialization  vector  will  be  set  to  zero. 

The  value  of  the  ciphertext  is  used  directly  as  the  input  block  of  data.  The  input  block  is 
processed  through  the  algorithm  in  the  decrypt  state.  According  to  the  mode  of  operation 
supported  by  the  JUT,  the  resulting  output  block  is  used  in  the  calculation  of  the  plaintext  which 
is  recorded  for  later  comparison.  This  test  is  repeated  32  times  allowing  for  the  32  key-ciphertext 
values  to  be  tested.  At  completion,  the  results  of  each  of  the  32  tests  is  verified  to  be  zero. 

The  32  key  values  used  in  this  test  present  a  complete  set  of  basis  vectors  to  the  permutation 
operator  P.  By  doing  so,  P  is  verified. 

3.1.2.5  The  Substitution  Table  Known  Answer  Test  for  the  Decryption  Process 

The  Substitution  Table  Known  Answer  test  for  the  Decryption  Process  only  applies  to  lUTs  of 
the  DES  algorithm.  To  implement  this  test,  values  for  the  key  and  ciphertext  are  supplied  in  one 
of  two  ways.  If  the  lUT  performs  both  encryption  and  decryption,  the  values  for  the  key  and 
ciphertext  resulting  from  the  encryption  performed  in  the  Substitution  Table  Known  Answer  test 
for  the  Encryption  Process  will  be  used.  Otherwise,  the  key  and  ciphertext  values  will  be 
supplied  by  the  MOVS.  If  applicable,  the  initialization  vector  will  be  set  to  zero. 

The  value  of  the  ciphertext  is  used  directly  as  the  input  block  of  data.  This  input  block  is 
processed  through  the  algorithm  in  the  decrypt  state.  Based  on  the  mode  of  operation 
implemented  by  the  lUT,  the  resulting  output  block  is  used  in  the  calculation  of  the  plaintext 
which  is  recorded  for  later  comparison.  This  test  is  repeated  19  times  in  order  to  process  the  set 
of  1 9  key-data  pairs  that  result  in  every  entry  of  all  eight  substitution  tables  being  used  at  least 
once.  At  the  completion  of  the  1 9*  test,  all  results  are  verified  for  correctness.  If  the  lUT 
produces  correct  results,  the  eight  S-box  substitution  tables  of  64  entries  each  have  been  verified. 

3.2  The  Modes  Test 

The  Modes  test  is  the  second  type  of  validation  test  required  to  validate  lUTs  of  the  DES  and 
Skipjack  algorithms.  The  Modes  test  is  based  on  the  Monte-Carlo  test  discussed  in  SP500-20. 
They  are  designed  to  use  pseudo-random  data  to  verify  that  the  lUT  has  not  been  designed  just 
to  pass  the  Known  Answer  tests.  A  successful  series  of  Modes  tests  gives  some  assurance  that 
an  anomalous  combination  of  inputs  does  not  exist  that  would  cause  the  test  to  end  abnormally 
for  reasons  not  directly  related  to  the  implementation  of  the  algorithm.  An  additional  purpose 
of  the  Modes  test  is  to  verify  that  no  undesirable  condition  within  the  lUT  will  cause  the  key  or 
plaintext  to  be  exposed  due  to  an  implementation  error.  This  test  also  checks  for  the  presence 
of  an  apparent  operational  error. 
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The  MOVS  supplies  the  lUT  with  initial  input  values  for  the  key,  the  plaintext  (or  ciphertext), 
and,  if  applicable,  an  initialization  vector.  The  Modes  test  is  then  performed  (as  described  in 
the  following  paragraph)  and  the  resulting  ciphertext  (or  plaintext)  values  are  recorded  and 
compared  to  known  results.  If  an  error  is  detected,  the  erroneous  result  is  recorded,  and  the  test 
terminates  abnormally.  Otherwise,  the  test  continues.  If  the  lUT's  results  are  correct,  the 
Modes  test  for  the  lUT  ends  successfully. 

Each  Modes  test  consists  of  four  million  cycles  through  the  DES  or  Skipjack  algorithm 
implemented  in  the  lUT.  These  cycles  are  divided  into  four  hundred  groups  of  10,000 
iterations  each.  Each  iteration  consists  of  processing  an  input  block  through  the  DES  or 
Skipjack  algorithm  resulting  in  an  output  block.  At  the  10,000""  cycle  in  an  iteration,  new 
values  are  assigned  to  the  variables  needed  for  the  next  iteration.  The  results  of  each  1 0,000"" 
encryption  or  decryption  cycle  are  recorded  and  evaluated  as  specified  in  the  preceding 
paragraph. 
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4.  BASIC  PROTOCOL 


4.1  Overview 

Input  and  output  messages  used  to  convey  information  between  the  MOVS  and  the  lUT  shall 
consist  of  specific  fields.  The  format  of  these  input  and  output  messages  is  beyond  the  scope  of 
this  document  and  the  testing  laboratories  have  the  option  to  determine  the  specific  formats  of 
those  messages.  However,  the  results  sent  to  NIST  must  include  certain  minimum  information, 
which  is  specified  in  Section  4.4  Output  Types. 

A  separate  message  shall  be  created  for  each  mode  of  operation  supported  by  an  JUT.  The 
information  shall  indicate  the  algorithm  used  (DES  or  Skipjack),  the  mode  of  operation  (ECB, 
CBC,  CFB-including  feedback  amounts,  or  OFB),  the  state  (encrypt  and/or  decrypt),  the  test 
being  performed  (one  of  the  various  Known  Answer  tests,  or  the  Modes  tests),  and  the  required 
data  fields.  The  required  data  may  consist  of  counts,  keys,  initialization  vectors,  and  data 
representing  plaintext  or  ciphertext.  Every  field  in  an  output  message  shall  be  clearly  labeled  to 
indicate  its  contents  -  this  is  especially  important  for  NIST  to  be  able  to  ensure  that  test  results 
are  complete. 

4.1.1  Conventions 

The  following  conventions  shall  be  used  in  the  data  portion  of  messages  between  the  MOVS 
and  the  lUT: 

1.  Integers:  integers  shall  be  unsigned  and  shall  be  represented  in  decimal  notation. 
(See  Section  4. 1 .2  for  these  notations.) 

2.  Hexadecimal  strings:  shall  consist  of  ASCII  hexadecimal  characters.  The  ASCII 
hexadecimal  characters  to  be  used  shall  consist  of  the  ASCII  characters  0-9  and 
A-F  (or  a-f),  which  represent  4-bit  binary  values. 

3.  Characters:  the  characters  to  be  represented  are  A-Z  (or  a-z),  0-9,  and 
underscore  (_). 

4.1.2  Message  Data  Types 

The  following  data  types  shall  be  used  in  messages  between  the  MOVS  and  the  lUT: 
1.       Decimal  integers:  a  decimal  integer  shall  have  the  form 
ddd ...  dd 
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where  each 'd'  shall  represent  a  decimal  character  (0-9);  one  or  more  characters 
shall  be  present.  The  characters  must  be  contiguous. 


2.       Hexadecimal  strings:  a  hexadecimal  string  shall  have  the  form 
hhh  ...  hh 


where  each  'h'  shall  represent  an  ASCII  character  0-9  or  A-F  (or  a-f).  Each  'h' 
shall  represent  a  4-bit  binary  value. 

Characters:  an  ASCII  character  shall  have  the  form 


c 


where  'c'  shall  represent  an  ASCII  character  A-Z  (or  a-z),  0-9,  and  underscore 


4.2  Message  Contents 


The  information  included  in  a  message  shall  consist  of  the  following: 
Algorithm  -  selections  shall  consist  of  DES  or  Skipjack, 

Mode  -  selections  shall  consist  of  ECB,  CBC,  CFB-including  feedback  amounts, 
or  OFB, 

Process  -  selections  shall  consist  of  ENCRYPT  or  DECRYPT, 
Test  -  selections  shall  consist  of: 


VTEXT  for  Variable  Plaintext/Ciphertext  Known  Answer  test 
VKEY  for  Variable  Key  Known  Answer  test 
INVPERM  for  Inverse  Permutation  Known  Answer  test 
INITPERM  for  Initial  Permutation  Known  Answer  test 
PERM  for  Permutation  Operation  Known  Answer  test 
SUB  for  Substitution  Table  Known  Answer  test 
MODES  for  Modes  test 


Input/Output  Data 

The  contents  of  the  input/output  data  included  in  a  message  shall  depend  on  the  algorithm, 
mode,  process,  and  test  being  performed.  These  different  combinations  of  data  have  been 
organized  into  input  types  and  output  types.  The  input  types  shall  be  used  by  the  MOVS  to 
supply  data  to  the  lUT  for  testing.  The  output  types  shall  be  used  by  the  lUT  to  supply  results 
from  the  tests  to  the  MOVS,  and  eventually  to  NIST. 
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4.3  Input  Types 

Twelve  different  combinations  of  input  data  shall  be  used  by  the  MOVS  to  support  the  various 
Known  Answer  tests  and  Modes  tests  . 


4.3.1  Input  Type  1 

Input  Type  1  shall  consist  of: 
KEY  and  DATA 

where  KEY  shall  be  represented  as  k  bits  in  hexadecimal  notation  (i.e.,  4  bits  per 
hexadecimal  character).  If  the  lUT  implements  the  DES  algorithm,  the  KEY  shall 
consist  of  16  hexadecimal  characters  (i.e.,  64  bits,  k  =  64).  The  8  parity  bits  shall  be 
present  but  ignored,  yielding  56  significant  bits.  For  consistency  purposes,  the  DES  key 
shall  be  presented  in  odd  parity.  If  the  lUT  implements  the  Skipjack  algorithm,  the 
KEY  shall  consist  of  20  hexadecimal  characters  (i.e.  80  bits,  k  =  80).  Skipjack  does  not 
check  parity,  thus  every  bit  in  the  key  is  significant;  and 

DATA  shall  be  a  1 6  character  ASCII  hexadecimal  string  representing  plaintext  if  the 
encrypt  process  is  being  tested,  or  ciphertext  if  the  decrypt  process  is  being  tested. 

4.3.2  Input  Type  2 

Input  Type  2  shall  consist  of: 

KEY,IV,  and  DATA 

where  KEY  shall  be  represented  as  k  bits  in  hexadecimal  notation  (i.e.,  4  bits  per 
hexadecimal  character).  If  the  lUT  implements  the  DES  algorithm,  the  KEY  shall 
consist  of  16  hexadecimal  characters  (i.e.,  64  bits,  k  =  64).  The  8  parity  bits  shall  be 
present  but  ignored,  yielding  56  significant  bits.  For  consistency  purposes,  the  DES  key 
shall  be  presented  in  odd  parity.  If  the  lUT  implements  the  Skipjack  algorithm,  the 
KEY  shall  consist  of  20  hexadecimal  characters  (i.e.  80  bits,  k  =  80).  Skipjack  does  not 
check  parity,  thus  every  bit  in  the  key  is  significant; 

IV  shall  be  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit 
initialization  vector;  and 

'        DATA  shall  be  1  to  64  binary  bits  represented  as  a  16  character  ASCII  hexadecimal 
string  representing  plaintext  if  the  encrypt  process  is  being  tested,  or  ciphertext  if  the 
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decrypt  process  is  being  tested. 


4.3.3  Input  Type  3 

Input  Type  3  shall  consist  of: 

KEY,«,CT„CT2,...CT„ 

where  KEY  shall  be  represented  as  k  bits  in  hexadecimal  notation  (i.e.,  4  bits  per 
hexadecimal  character).  If  the  lUT  implements  the  DES  algorithm,  the  KEY  shall 
consist  of  16  hexadecimal  characters  (i.e.,  64  bits,  k  =  64).  The  8  parity  bits  shall  be 
present  but  ignored,  yielding  56  significant  bits.  For  consistency  purposes,  the  DES  key 
shall  be  presented  in  odd  parity.  If  the  lUT  implements  the  Skipjack  algorithm,  the 
KEY  shall  consist  of  20  hexadecimal  characters  (i.e.  80  bits,  k  =  80).  Skipjack  does  not 
check  parity,  thus  every  bit  in  the  key  is  significant; 

n  is  an  integer  which  shall  indicate  the  number  of  ciphertext  (CT)  values  to  follow;  and 

each  CT„  shall  be  1  to  64  binary  bits  represented  as  a  16  character  ASCII  hexadecimal 
string. 


4.3.4  Input  Type  4 

Input  Type  4  shall  consist  of: 
KEY 

where  KEY  shall  be  represented  as  k  bits  in  hexadecimal  notation  (i.e.,  4  bits  per 
hexadecimal  character).  If  the  lUT  implements  the  DES  algorithm,  the  KEY  shall 
consist  of  16  hexadecimal  characters  (i.e.,  64  bits,  k  =  64).  The  8  parity  bits  shall  be 
present  but  ignored,  yielding  56  significant  bits.  For  consistency  purposes,  the  DES  key 
shall  be  presented  in  odd  parity.  If  the  lUT  implements  the  Skipjack  algorithm,  the 
KEY  shall  consist  of  20  hexadecimal  characters  (i.e.  80  bits,  k  =  80).  Skipjack  does  not 
check  parity,  thus  every  bit  in  the  key  is  significant. 

4.3.5  Input  Type  5 

Input  Type  5  shall  consist  of: 

KEY,IV,«,TEXT„TEXT2,...TEXT„ 
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where  KEY  shall  be  represented  as  k  bits  in  hexadecimal  notation  (i.e.,  4  bits  per 
hexadecimal  character).  If  the  lUT  implements  the  DES  algorithm,  the  KEY  shall 
consist  of  16  hexadecimal  characters  (i.e.,  64  bits,  k  =  64).  The  8  parity  bits  shall  be 
present  but  ignored,  yielding  56  significant  bits.  For  consistency  purposes,  the  DES  key 
shall  be  presented  in  odd  parity.  If  the  lUT  implements  the  Skipjack  algorithm,  the 
KEY  shall  consist  of  20  hexadecimal  characters  (i.e.  80  bits,  k  =  80).  Skipjack  does  not 
check  parity,  thus  every  bit  in  the  key  is  significant; 

IV  shall  be  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit 
initialization  vector; 

n  is  an  integer  which  shall  indicate  the  number  of  TEXT  values  to  follow;  and 

each  TEXT,,  shall  be  1  to  64  binary  bits  represented  as  a  1 6  character  ASCII 
hexadecimal  string.  TEXT  shall  represent  PT,  CT,  or  RESULT. 

4.3.6  Input  Type  6 

Input  Type  6  shall  consist  of: 
KEY  and  IV 

where  KEY  shall  be  represented  as  k  bits  in  hexadecimal  notation  (i.e.,  4  bits  per 
hexadecimal  character).  If  the  lUT  implements  the  DES  algorithm,  the  KEY  shall 
consist  of  16  hexadecimal  characters  (i.e.,  64  bits,  k  =  64).  The  8  parity  bits  shall  be 
present  but  ignored,  yielding  56  significant  bits.  For  consistency  purposes,  the  DES  key 
shall  be  presented  in  odd  parity.  If  the  lUT  implements  the  Skipjack  algorithm,  the 
KEY  shall  consist  of  20  hexadecimal  characters  (i.e.  80  bits,  k  =  80).  Skipjack  does  not 
check  parity,  thus  every  bit  in  the  key  is  significant;  and 

IV  shall  be  a  1 6  character  ASCII  hexadecimal  string  representing  the  64-bit 
initialization  vector. 


4.3.7  Input  Type  7 

Input  Type  7  shall  consist  of 

PT,KEY„KEY2,...KEY32 

where  PT  shall  be  1  to  64  binary  bits  represented  as  a  16  character  ASCII  hexadecimal 
string;  and 


26 


each  KEY,-,  where  i=l  to  32,  shall  be  represented  as  k  bits  m  hexadecimal  notation  (i.e., 
4  bits  per  hexadecimal  character).  If  the  lUT  implements  the  DES  algorithm,  the  KEY 
shall  consist  of  16  hexadecimal  characters  (i.e.,  64  bits,  k  =  64).  The  8  parit\'  bits  shall 
be  present  but  ignored,  yielding  56  significant  bits.  For  consistency  purposes,  the  DES 
key  shall  be  presented  in  odd  paritv'.  If  the  lUT  implements  the  Skipjack  algorithm,  the 
KEY  shall  consist  of  20  hexadecimal  characters  (i.e.  80  bits,  k  =  80).  Skipjack  does  not 
check  parity,  thus  every  bit  in  the  key  is  significant. 

4.3.8  Input  Type  8 

Input  Type  8  shall  consist  of: 

TEXT,rV,KE  Yi  ,KE  Y,, . .  .KE  Y32 

where  TEXT  shall  be  1  to  64  binar}-  bits  represented  as  a  16  character  ASCII 
hexadecimal  string.  (NOTE:  TEXT  may  be  referred  to  as  plaintext  or  text.); 

rV  shall  be  a  16  character  ASCII  hexadecimal  string  representing  the  64-bit 
initialization  vector:  and 

each  KEY,-,  where  i=l  to  32,  shall  be  represented  as  k  bits  in  hexadecimal  notation  (i.e.. 
4  bits  per  hexadecimal  character).  If  the  lUT  implements  the  DES  algorithm,  the  KEY 
shall  consist  of  16  hexadecimal  characters  (i.e.,  64  bits,  k  =  64).  The  8  parity  bits  shall 
be  present  but  ignored,  yielding  56  significant  bits.  For  consistency  purposes,  the  DES 
key  shall  be  presented  in  odd  parit>'.  If  the  lUT  implements  the  Skipjack  algorithm,  the 
KEY  shall  consist  of  20  hexadecimal  characters  (i.e.  80  bits,  k  =  80).  Skipjack  does  not 
check  parity,  thus  every  bit  in  the  key  is  significant. 

4.3.9  Input  Type  9 

Input  Type  9  supplies  fi  key/input  block  pairs.  It  shall  consist  of: 

«,PAIR,,PAIR,,...PAIR„ 

In  this  input  type,  the  integer  n  shall  indicate  the  number  of  KEY  values  to  follow.  Each 
PAIR,  shall  consist  of 

KEY,  and  TEXT, 

where  each  KEY,,  where  /-I  to  n.  shall  be  represented  as  k  bits  in  hexadecimal  notation 
(i.e.,  4  bits  per  hexadecimal  character).  If  the  lUT  implements  the  DES  algorithm,  the 
KEY  shall  consist  of  16  hexadecimal  characters  (i.e.,  64  bits,  k  =  64).  The  8  parity  bits 
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shall  be  present  but  ignored,  yielding  56  significant  bits.  For  consistency  purposes,  the 
DES  key  shall  be  presented  in  odd  parity.  If  the  lUT  implements  the  Skipjack 
algorithm,  the  KEY  shall  consist  of  20  hexadecimal  characters  (i.e.  80  bits,  k  =  80). 
Skipjack  does  not  check  parity,  thus  every  bit  in  the  key  is  significant;  and 

each  TEXT,,  for  /  =  1  to  «,  shall  be  a  16  character  ASCII  hexadecimal  string 
representing  either  plaintext  or  ciphertext. 


4.3.10  Input  Type  10 

Input  Type  10  shall  consist  of: 

«,KEY„KEY2,...KEY„ 

where  n  is  an  integer  which  shall  indicate  the  number  of  KEY  values  to  follow;  and 

each  KEY,,  where  z=l  to  n,  shall  be  represented  as  k  bits  in  hexadecimal  notation  (i.e.,  4 
bits  per  hexadecimal  character).  If  the  lUT  implements  the  DES  algorithm,  the  KEY 
shall  consist  of  16  hexadecimal  characters  (i.e.,  64  bits,  k  =  64).  The  8  parity  bits  shall 
be  present  but  ignored,  yielding  56  significant  bits.  For  consistency  purposes,  the  DES 
key  shall  be  presented  in  odd  parity.  If  the  lUT  implements  the  Skipjack  algorithm,  the 
KEY  shall  consist  of  20  hexadecimal  characters  (i.e.  80  bits,  k  =  80).  Skipjack  does  not 
check  parity,  thus  every  bit  in  the  key  is  significant. 

4.3.11  Input  Type  11 

Input  Type  1 1  shall  consist  of 

INITVAL,«,PAIR„PAIR2,. .  .PAIR„ 

where  INITVAL  shall  be  a  16  character  ASCII  hexadecimal  string  representing  either 
the  64  bit  IV  or  the  TEXT,  depending  on  the  mode  of  operation  implemented  by  the 
lUT.  (NOTE:  The  TEXT  may  be  referred  to  as  plaintext,  ciphertext,  or  text.); 

n  is  an  integer  which  shall  indicate  the  number  of  KEY/INPUT  PAIRs  to  follow. 

Each  PAIR,  shall  consist  of 

KEY,  and  IB, 

where  each  KEY,,  where  i=\  to  n,  shall  be  represented  as  k  bits  in  hexadecimal  notation 
(i.e.,  4  bits  per  hexadecimal  character).  If  the  lUT  implements  the  DES  algorithm,  the 
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KEY  shall  consist  of  16  hexadecimal  characters  (i.e.,  64  bits,  k  =  64).  The  8  parity  bits 
shall  be  present  but  ignored,  yielding  56  significant  bits.  For  consistency  purposes,  the 
DES  key  shall  be  presented  in  odd  parity.  If  the  lUT  implements  the  Skipjack 
algorithm,  the  KEY  shall  consist  of  20  hexadecimal  characters  (i.e.  80  bits,  k  =  80). 
Skipjack  does  not  check  parity,  thus  every  bit  in  the  key  is  significant;  and 

each  IB,  shall  be  a  16  character  ASCII  hexadecimal  string  representing  either  the  64  bit 
IV,  PT  or  CT,  depending  on  the  mode  of  operation  implemented. 

4.3.12  Input  Type  12 

Input  Type  12  shall  consist  of: 

INITVAL,«,KEY„KEY2,...KEY„ 

where  INITVAL  shall  be  a  16  character  ASCII  hexadecimal  string  representing  either 
the  64  bit  IV  or  the  64  bit  TEXT  depending  on  the  mode  of  operation  implemented  by 
the  lUT.  (NOTE:  The  TEXT  may  be  referred  to  as  ciphertext.); 

n  is  an  integer  which  shall  indicate  the  number  of  KEYS  to  follow;  and 

each  KEY,,  where  i=\  to  n,  shall  be  represented  as  k  bits  in  hexadecimal  notation  (i.e.,  4 
bits  per  hexadecimal  character).  If  the  lUT  implements  the  DES  algorithm,  the  KEY 
shall  consist  of  16  hexadecimal  characters  (i.e.,  64  bits,  k  =  64).  The  8  parity  bits  shall 
be  present  but  ignored,  yielding  56  significant  bits.  For  consistency  purposes,  the  DES 
key  shall  be  presented  in  odd  parity.  If  the  lUT  implements  the  Skipjack  algorithm,  the 
KEY  shall  consist  of  20  hexadecimal  characters  (i.e.  80  bits,  k  =  80).  Skipjack  does  not 
check  parity,  thus  every  bit  in  the  key  is  significant. 

4.4  Output  Types 

Two  different  combinations  of  output  data  are  used  by  the  MOVS  to  support  the  various 
Known  Answer  tests  and  Modes  tests. 

4.4.1  Output  Type  1 

Output  Type  1  shall  consist  of: 

COUNT,KEY,DATA,  and  RESULT 

where  COUNT  shall  be  an  integer  between  1  and  400,  i.e.,  0  <  COUNT  <=  400, 
representing  the  output  line; 
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KEY  shall  be  represented  as  k  bits  in  hexadecimal  notation.  If  the  lUT  implements  the 
DES  algorithm,  the  KEY  shall  consist  of  16  hexadecimal  characters  (i.e.,  64  bits,  k  = 
64).  The  parity  bits  shall  be  ignored,  yielding  56  significant  bits.  For  consistency 
puiposes,  the  DES  key  shall  be  displayed  in  odd  parity.  If  the  lUT  implements  the 
Skipjack  algorithm,  the  KEY  shall  consist  of  20  hexadecimal  characters  (i.e.  80  bits,  k 
80).  Skipjack  does  not  check  parity,  thus  every  bit  in  the  key  is  significant; 

DATA  shall  be  a  16  character  hexadecimal  string  representing  plaintext  if  the  encrypt 
process  is  being  tested  or  ciphertext  if  the  decrypt  process  is  being  tested;  and 

RESULT  shall  be  a  16  character  hexadecimal  string  indicating  the  resulting  value. 
Depending  on  the  process  of  the  lUT  being  tested,  the  resulting  value  shall  represent 
ciphertext  (if  encrypting)  or  plaintext  (if  decrypting). 

4.4.2  Output  Type  2 

Output  Type  2  shall  consist  of: 

COUNT,KEY,CV,DATA,  and  RESULT 

where  COUNT  shall  be  an  integer  between  1  and  400,  i.e.,  0  <  COUNT  <=  400, 
representing  the  output  line; 

KEY  shall  be  represented  as  k  bits  in  hexadecimal  notation.  If  the  lUT  implements  the 
DES  algorithm,  the  KEY  shall  consist  of  16  hexadecimal  characters  (i.e.,  64  bits,  k  = 
64).  The  parity  bits  shall  be  ignored,  yielding  56  significant  bits.  For  consistency 
purposes,  the  DES  key  shall  be  displayed  in  odd  parity.  If  the  lUT  implements  the 
Skipjack  algorithm,  the  KEY  shall  consist  of  20  hexadecimal  characters  (i.e.  80  bits,  k  = 
80).  Skipjack  does  not  check  parity,  thus  every  bit  in  the  key  is  significant; 

CV  shall  be  a  16  character  ASCII  hexadecimal  string; 

DATA  shall  be  a  1 6  character  hexadecimal  string  representing  plaintext  if  the  encrypt 
process  is  being  tested  or  ciphertext  if  the  decrypt  process  is  being  tested.;  and 

RESULT  shall  be  a  16  character  hexadecimal  string  indicating  the  resulting  value. 
Depending  on  the  process  of  the  lUT  being  tested,  the  resulting  value  may  be  ciphertext 
(if  encrypting)  or  plaintext  (if  decrypting). 
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5.  TESTS  REQUIRED  TO  VALIDATE  AN  IMPLEMENTATION  OF  THE  DES  OR 

SKIPJACK  ALGORITHM 

The  validation  of  lUTs  of  the  DES  and  Skipjack  algorithms  shall  require  the  successful 
completion  of  an  applicable  set  of  Known  Answer  tests  and  the  successful  completion  of  the 
appropriate  Modes  tests.  The  tests  required  for  validation  of  an  lUT  shall  be  determined  by 
several  factors.  These  include  the  algorithm  implemented  (DES  or  Skipjack),  the  mode(s)  of 
operation  supported  ( ECB,  CBC,  CFB,  OFB),  and  the  allowed  cryptographic  processes 
(encryption,  decryption,  both). 

A  separate  set  of  Known  Answer  tests  has  been  designed  for  use  with  each  of  the  four  modes  of 
DES  and  Skipjack.  Within  these  sets  of  tests  are  separate  subsets  of  tests  corresponding  to  the 
encrypt  and  decrypt  processes.  If  an  lUT  implements  multiple  modes  of  operation  but  does  not 
implement  the  ECB  mode,  each  supported  mode  of  operation  shall  be  tested.  If  an  lUT 
implements  multiple  modes  of  operation  which  does  include  the  ECB  mode,  the  set  of  Known 
Answer  tests  corresponding  to  the  implemented  cryptographic  state  of  the  ECB  mode  of 
operation  shall  be  the  only  set  of  Known  Answer  tests  conducted.  The  reasoning  behind  this  is 
that  other  modes  of  operation  implemented  should  follow  the  same  logic  as  that  for  the  ECB 
mode  of  operation. 

The  Modes  tests  have  been  designed  for  use  with  each  of  the  four  modes  of  DES  and  Skipjack. 
For  the  ECB,  CBC,  and  CFB  modes  of  operation,  there  are  two  tests  associated  with  each:  one 
to  be  used  for  lUTs  allowing  the  encryption  process  and  the  other  to  be  used  for  lUTs  allowing 
the  decryption  process.  If  both  the  encryption  and  decryption  processes  are  allowed  by  an  lUT, 
both  tests  shall  be  required.  The  OFB  mode  of  operation  only  requires  one  Modes  test  which  is 
designed  for  use  with  both  the  encryption  and  decryption  processes  of  an  lUT.  For  example,  if 
an  lUT  implements  the  CBC  mode  of  operation  in  the  encryption  process  only,  the  Modes  test 
for  the  encryption  process  of  the  CBC  mode  of  operation  shall  be  successfully  completed  to 
validate  the  lUT.  Likewise,  if  an  lUT  implements  both  the  encryption  and  decryption  processes 
of  the  CFB  mode  of  operation,  both  the  Modes  test  for  the  CFB  encryption  process  and  the 
Modes  test  for  the  CFB  decryption  process  shall  be  successfully  completed  to  validate  the  lUT. 
If  an  lUT  implements  both  the  encryption  and  decryption  processes  of  the  OFB  mode  of 
operation,  the  Modes  test  for  the  OFB  mode  of  operation  shall  be  successfully  completed  to 
validate  the  lUT. 

If  an  lUT  of  the  DES  or  Skipjack  algorithm  supports  more  than  one  mode  of  operation,  the 
Modes  test  corresponding  to  each  supported  mode  shall  be  performed  successfully.  For 
example,  if  an  lUT  implements  the  ECB  and  CBC  modes  of  operation  for  the  encryption 
process,  the  Modes  test  for  the  encryption  process  of  the  ECB  mode  of  operation  and  the  Modes 
test  for  the  encryption  process  of  the  CBC  mode  of  operation  shall  be  successfully  completed  to 
validate  the  lUT. 


31 


The  tests  required  to  successfully  validate  lUTs  of  the  DES  and  Skipjack  algorithms  are 
detailed  in  the  following  sections.  These  sections  are  categorized  by  mode  of  operation. 
Within  each  mode  of  operation,  the  tests  are  divided  into  tests  to  use  with  the  encryption 
process  and  tests  to  use  with  the  decryption  process. 
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5.1  Electronic  Codebook  (ECB)  Mode 

The  lUTs  of  the  DES  or  Skipjack  algorithm  in  the  Electronic  Codebook  (ECB)  mode  shall  be 
validated  by  the  successful  completion  of  a  series  of  Known  Answer  tests  and  Modes  tests 
corresponding  to  the  cryptographic  processes  allowed  by  the  lUT. 

5.1.1  Encryption  Process 

The  process  of  validating  an  lUT  of  the  DES  algorithm  which  implements  the  encryption 
process  of  the  ECB  mode  of  operation  shall  involve  the  successful  completion  of  the  following 
six  tests: 

1 .  The  Variable  Plaintext  Known  Answer  Test  -  ECB  mode 

2.  The  Inverse  Permutation  Known  Answer  Test  for  the  Encryption  Process  -  ECB  mode 

3.  The  Variable  Key  Known  Answer  Test  for  the  Encryption  Process  -  ECB  mode 

4.  The  Permutation  Operation  Known  Answer  Test  for  the  Encryption  Process  -  ECB 
mode 

5.  The  Substitution  Table  Known  Answer  Test  for  the  Encryption  Process  -  ECB  mode 

6.  The  Modes  Test  for  the  Encryption  Process  -  ECB  mode 

The  validation  process  for  an  lUT  of  the  Skipjack  algorithm  which  implements  the  encryption 
process  of  the  ECB  mode  of  operation  shall  require  the  successful  completion  of  tests  1,2,3,  and 
6  only. 

An  explanation  of  the  tests  follows. 
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5.1.1.1  The  Variable  Plaintext  Known  Answer  Test  -  ECB  Mode 


MOVS:  Initialize  KEY:     If  DES,  KEY=010101010I010101  (odd  parity  set) 

If  Skipjack,  KEY=00000000000000000000 
PT,  =  8000000000000000 
Send     KEY,  PT, 


lUT:      FOR  i  =  1  to  64 
{ 

IB,  =  PTi 

Perform  algorithm  in  encrypt  state,  resulting  in  CT, 
Send  i,  KEY,  PTi,  CT, 

PTj+i  =  basis  vector  where  single  "1"  bit  is  in  position  I+l 


MOVS:  Compare  results  from  each  loop  with  known  answers 

If  DES,  use  Appendix  B,  Table  1.  If  Skipjack,  use  Appendix  B,  Table  5. 


Figure  5.1  The  Variable  Plaintext  Known  Answer  Test  -  ECB  Mode 


Figure  5. 1  illustrates  the  Variable  Plaintext  Known  Answer  test  for  the  ECB  mode  of  operation. 
1.        The  MOVS  shall: 

a.  Initialize  the  KEY  parameter  to  the  constant  hexadecimal  value  0.  For  lUTs  of 
the  DES  algorithm,  the  KEY^e^  =  0101010101010101.  Note  that  the 
significant  bits  are  set  to  "0"  and  the  parity  bits  are  set  to  "  1 "  to  make  odd  parity. 

For  lUTs  of  the  Skipjack  algorithm,  the  KEY^e,  =  00  00  00  00  00  00  00  00  00 
00. 

b.  Initialize  the  64  bit  plaintext  PT,  to  the  basis  vector  containing  a  "  1 "  in  the  first 
bit  position  and  "0"  in  the  following  63  positions,  i.e.,  PT,    =  10000000 
00000000  00000000  00000000  00000000  00000000  00000000  00000000.  The 
equivalent  of  this  value  in  hexadecimal  notation  is  80  00  00  00  00  00  00  00. 

c.  Forward  this  information  to  the  lUT  using  Input  Type  1 . 


2.        The  lUT  shall  perform  the  following  for  i=l  through  64: 

a.       Set  the  input  block  IB;  equal  to  the  value  of  PT^,  i.e,  (IBli,IB2i,...IB64i)  = 
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(PT1„PT2„...,PT64,). 


b.  Process  IBj  through  the  DES  or  Skipjack  algorithm  in  the  encrypt  state,  resulting 
in  ciphertext  CTj. 

c.  Forward  the  current  values  of  the  loop  number  i,  KEY,  PT^,  and  the  resulting  CTj 
to  the  MOVS  as  specified  in  Output  Type  1 . 

d.  Retain  CTj  for  use  with  the  Inverse  Permutation  Known  Answer  test  for  the  ECB 
Mode  (Section  5.1.1.2),  and,  if  the  JUT  supports  the  decryption  process,  for  use 
with  the  Variable  Ciphertext  Known  Answer  test  for  the  ECB  Mode  (Section 
5.1.2.1). 

e.  Assign  a  new  value  to  PTj+i  by  setting  it  equal  to  the  value  of  a  basis  vector  with 
a  "1"  bit  in  position  i+1,  where  i+l=2..64. 


NOTE:  This  continues  until  every  possible  basis  vector  has  been  represented  by  the  PT, 
i.e.  64  times.  The  output  from  the  lUT  shall  consist  of  64  output  strings.  Each  output 
string  shall  consist  of  information  included  in  Output  Type  1 . 


The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values  found  in  Appendix  B,  Table  1  for  DES  or  Table  5  for  Skipjack. 
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5.1.1.2  The  Inverse  Permutation  Known  Answer  Test  -  ECB  Mode 


MOVS:  Initialize  KEY:     If  DES,  KEY=0101010101010101  (odd  parity  set) 

If  Skipjack,  KEY=00000000000000000000 
PT,  (where  i=l-64)  =  64  CT  values  from  the  Variable  Plaintext  Known 
Answer  test 
Send     KEY,  64,  PTi  ...  PT^^ 


lUT:      FOR  i  =  1  to  64 
{ 

IB.  =  PT, 

Perform  algorithm  in  encrypt  state,  resulting  in  CTi 

Send  i,  KEY,  PT;,  CTj 

PTj+i  =  corresponding  PTi+,  from  MOVS 

} 

MOVS:  Compare  results  from  each  loop  with  known  answers. 
Should  be  the  set  of  basis  vectors. 


Figure  5.2  The  Inverse  Permutation  Known  Answer  Test  -  ECB  Mode 


Figure  5.2  illustrates  the  Inverse  Permutation  Known  Answer  test  for  the  ECB  mode  of 
operation. 

1.        The  MOVS  shall: 

a.  Initialize  the  KEY  parameter  to  the  constant  hexadecimal  value  0.  For  lUTs  of 
the  DES  algorithm,  the  KEY^e,  =  0101010101010101.  Note  that  the 
significant  bits  are  set  to  "0"  and  the  parity  bits  are  set  to  "  1 "  to  make  odd  parity. 

For  lUTs  of  the  Skipjack  algorithm,  the  KEY^ex  =  00  00  00  00  00  00  00  00  00 
00. 

b.  Initialize  the  64  bit  plaintext  values  PT,  (where  i=l-  64)  to  the  CTj  results 
obtained  from  the  Variable  Plaintext  Known  Answer  test. 

c.  Forward  this  information  to  the  lUT  using  Input  Type  3. 


2.       The  lUT  shall  perform  the  following  for  i=l  through  64: 
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a.  Set  the  input  block  IBj  equal  to  the  value  of  PTj,  i.e,  (IBl„IB2i,...IB64i)  = 
(PTl,PT2„...,PT64i). 

b.  Process  IB^  through  the  DES  or  Skipjack  algorithm  in  the  encrypt  state,  resulting 
in  ciphertext  CTj. 

c.  Forward  the  current  values  of  the  loop  number  i,  KEY,  PTj,  and  the  resulting  CT| 
to  the  MOVS  as  specified  in  Output  Type  1 . 

d.  Assign  a  new  value  to  PTi+,  by  setting  it  equal  to  the  corresponding  output  from 
the  Variable  Plaintext  Known  Answer  test  for  the  ECB  mode. 

NOTE:  The  output  from  the  lUT  shall  consist  of  64  output  strings.  Each  output  string 
shall  consist  of  information  included  in  Output  Type  1 . 


3.       The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values.    The  CT  values  should  be  the  set  of  basis  vectors. 
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5.1.1.3  The  Variable  Key  Known  Answer  Test  for  the  Encryption  Process  -  ECB  Mode 


MOVS:  Initialize  KEY,:    If  DES,  KEY,  =  8001010101010101  (with  odd  parity) 

If  Skipjack,  KEY,  =  80000000000000000000 
PT=0000000000000000 
Send  KEY,,  PT 

lUT:      FOR  i=  1  to  n,  where  k  =  64  if  DES,  80  if  Skipjack 
{ 

IF  (algorithm  ==  SKIPJACK)  {process  every  bit} 
OR 

(algorithm  ==  DES  AND  I  %8  !=  0) 

{process  every  bit  except  parity  bits} 

{ 

IB;  =  PT 

Perform  algorithm  in  encrypt  state  using  KEY,,  resulting  in  CT, 
Send  i,  KEY,,  PT,  CT, 

KEYj+i  =  vector  consisting  of  "0"  in  every  significant  bit  position 
except  for  a  single  "  1 "  bit  in  position  i+1 .  Each  parity  bit  may  have 
the  value  "  1 "  or  "0"  to  make  the  KEY  odd  parity. 

} 

} 

MOVS:  Compare  results  of  the  n  encryptions  with  known  answers 

For  DES,  use  Appendix  B,  Table  2.  For  Skipjack,  use  Appendix  B,  Table  6. 


Figure  5.3  The  Variable  Key  Known  Answer  Test  for  the  Encryption  Process-  ECB 
Mode 


As  summarized  in  Figure  5.3,  the  Variable  Key  Known  Answer  test  for  the  ECB  Encryption 
Process  shall  be  performed  as  follows: 

1.       The  MOVS  shall: 

a.        Initialize  the  KEYj  to  contain  "0"  in  every  significant  bit  except  for  a  "  1"  in  the 
first  position.  For  example,  if  validating  an  lUT  of  the  DES  algorithm,  the  64  bit 
KEY,  bin  =  10000000  00000001  00000001  00000001  00000001  00000001 
0000000 1  0000000 1 .  The  equivalent  of  this  value  in  hexadecimal  notation  is  80 
01010101010101.  Note  that  the  parity  bits  are  set  to  "0"  or  "1"  to  get  odd 
parity. 

If  validating  an  lUT  of  the  Skipjack  algorithm,  the  80  bit  KEY,    =  10000000 
00000000  00000000  00000000  00000000  00000000  00000000  00000000 
00000000  00000000.  The  equivalent  of  this  value  in  hexadecimal  notation  is  80 
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00  00  00  00  00  00  00  00  00. 


b.  Initialize  the  64  bit  plaintext  PT  to  the  value  of  0,  i.e.,  PThe,=00  00  00  00  00  00 
00  00. 

c.  Forward  this  information  to  the  lUT  using  Input  Type  1 . 


The  lUT  shall  perform  the  following  for  i=  1  to  n:  (NOTE:  n  equals  the  number  of 
significant  bits  in  a  DES  or  Skipjack  key.) 

a.  Set  the  input  block  IBj  equal  to  the  value  of  PT,  i.e,  (IBli,IB2i,...IB64i)  = 
(PT1,PT2,...,PT64). 

b.  Using  the  corresponding  KEYj,  process  IBj  through  the  DES  or  Skipjack 
algorithm  in  the  encrypt  state,  resulting  in  ciphertext  CTj. 

c.  Forward  the  current  values  of  the  loop  number  i,  KEYj,  PT,  and  the  resulting  CTj 
to  the  MOVS  as  specified  in  Output  Type  1 . 

d.  If  the  lUT  supports  the  decryption  process,  retain  CTj  for  use  with  the  Variable 
Key  Known  Answer  test  for  the  Decryption  Process  for  the  ECB  Mode  (Section 
5.1.2.3). 

e.  Set  KEYj+,  equal  to  the  vector  consisting  of  "0"  in  every  significant  bit  position 
except  for  a  single  "1"  bit  in  position  i+1.  The  parity  bits  may  contain  "1"  or  "0" 
to  make  odd  parity. 

NOTE:  The  above  processing  continues  until  every  significant  basis  vector  has  been 
represented  by  the  KEY  parameter.  The  output  from  the  lUT  for  this  test  shall  consist  of 
56  output  strings  if  DES  is  implemented  and  80  output  strings  if  Skipjack  is 
implemented.  Each  output  string  shall  consist  of  information  included  in  Output  Type 
1. 


The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values  found  in  Appendix  B,  Table  2  for  DES,  or  Table  6  for  Skipjack. 
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5.1.1.4  Permutation  Operation  Known  Answer  Test  for  the  Encryption  Process  -  ECB 
Mode 

NOTE:  This  test  shall  only  be  performed  for  lUTs  of  the  DES  algorithm. 


MOVS:  Initialize  KEY;  (where  i=  1-32)  =  32  KEY  values  in  Appendix  B,  Table  3 

PT  =  0000000000000000 
Send  PT,  32,  KEY,,  KEY2....,KEY32 

JUT:      FOR  i  =  1  to  32 
{ 

IB,  =  PTi 

Perform  DES  algorithm  in  encrypt  state  using  KEY;,  resulting  in  CT; 
Send  i,  KEY,,  PT,  CT, 
KEYh,  =  KEY;^,  from  MOVS 

} 

MOVS:  Compare  results  with  known  answers 


Figure  5.4  The  Permutation  Operation  Known  Answer  Test  for  the  Encryption  Process  - 
ECB  Mode 


Figure  5.4  illustrates  the  Permutation  Operation  Known  Answer  test  for  the  ECB  Encryption 
Process. 

1.  The  MOVS  shall: 

a.  Initialize  the  KEY  with  the  32  constant  KEY  values  from  Appendix  B,  Table  3. 

b.  Initialize  the  plaintext  PT  to  the  value  of  0,  i.e.,  VT^^  =  00  00  00  00  00  00  00  00. 

c.  Forward  this  information  to  the  lUT  using  Input  Type  7. 

2.  The  lUT  shall  perform  the  following  for  i=  1  to  32: 

a.  Set  the  input  block  IB;  equal  to  the  value  of  PT,  i.e,  (IBli,IB2i,...IB64i)  = 
(PT1,PT2,...,PT64). 

b.  Using  the  corresponding  KEYj,  process  IBj  through  the  DES  algorithm  in  the 
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encrypt  state,  resulting  in  ciphertext  CTj. 

c.  Forward  the  current  values  of  the  loop  number  i,  KEYj,  PT,  and  the  resulting  CTj 
to  the  MOVS  as  specified  in  Output  Type  1 . 

d.  If  the  lUT  supports  the  decryption  process,  retain  CTj  for  use  with  the 
Permutation  Operation  Known  Answer  test  for  the  Decryption  Process  for  the 
ECB  mode  (Section  5.1.2.4). 

e.  Set  KEYj+i  equal  to  the  next  KEY  supplied  by  the  MOVS. 

NOTE:  The  above  processing  shall  continue  until  all  32  KEY  values  are  processed. 
The  output  from  the  lUT  for  this  test  shall  consist  of  32  output  strings.  Each  output 
string  shall  consist  of  information  included  in  Output  Type  1 . 

The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values  found  in  Appendix  B,  Table  3. 
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5.1.1.5  Substitution  Table  Known  Answer  Test  for  the  Encryption  Process  -  ECB  Mode 

NOTE:  This  test  shall  only  be  performed  for  lUTs  of  the  DES  algorithm. 


MOVS 


Initialize 


KEY;  (where  i=l-19)  =  19  KEY  values  in  Appendix  B,  Table  4 
PTj  (where  i=l-19)  ==  19  corresponding  PT  values  in  Table  4 
19,  KEY,,  PT„  KEY^,  PT,,...,  KEY,,,  PT„ 


Send 


lUT: 


FOR  i: 


1  to  19 


IBi  =  PT 

Perform  DES  algorithm  in  encrypt  state  resulting  in  CT, 
Send  i,  KEY;,  PT,,  CT, 
KEY,^,  =  KEY,,,  from  MOVS 
PT,,,  =  PTi„  from  MOVS 


As  summarized  in  Figure  5.5,  the  Substitution  Table  Known  Answer  test  for  the  ECB 
Encryption  Process  shall  be  performed  as  follows: 

1.  The  MOVS  shall: 

a.  Initialize  the  KEY-plaintext  (KEY-PT)  pairs  with  the  1 9  constant  KEY-PT 
values  from  Appendix  B,  Table  4. 

b.  Forward  this  information  to  the  lUT  using  Input  Type  9. 

2.  The  lUT  shall  perform  the  following  for  i=  1  to  19: 

a.  Set  the  input  block  IB;  equal  to  the  value  of  PT,,  i.e,  (IBl„IB2i,...IB64i)  = 
(PTl„PT2„...,PT64j). 

b.  Using  the  corresponding  KEY,,  process  IB,  through  the  DES  algorithm  in  the 
encrypt  state,  resulting  in  ciphertext  CTj. 

c.  Forward  the  current  values  of  the  loop  number  i,  KEYj,  PT;,  and  the  resulting  CTj 
to  the  MOVS  as  specified  in  Output  Type  1 . 


MOVS 


Compare  results  with  known  answers 


Figure  5.5  The  Substitution  Table  Known  Answer  Test  for  the  Encryption 
Process  -  ECB  Mode 
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d.  If  the  lUT  supports  the  decryption  process,  retain  CTj  for  use  with  the 
Substitution  Table  Known  Answer  test  for  the  Decryption  Process  for  the  ECB 
mode  (Section  5.1.2.5). 

e.  Set  KEYj+i  equal  to  the  next  KEY  supplied  by  MOVS. 

f.  Set  PTj+i  equal  to  the  corresponding  FT  supplied  by  MOVS. 

NOTE:  The  above  processing  shall  continue  until  all  19  KEY-PT  pairs  are  processed. 
The  output  from  the  lUT  for  this  test  shall  consist  of  19  output  strings.  Each  output 
string  shall  consist  of  information  included  in  Output  Type  1 . 

3.       The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values  found  in  Appendix  B,  Table  4. 
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5.1.1.6  Modes  Test  for  the  Encryption  Process  -  ECB  Mode 


MOVS:  Initialize  KEYq,  PTq 
Send     KEYo,  PTo 


lUT: 


FOR  i- 


0  TO  399 


Record  i,  KEY,,  PTo 
FORj  =  0  TO  9,999 


PTj.,  =  CTj 

} 

Record  CTj 

Send  i,  KEY,,  PTo,  CTj 

KEYi+,=  KEY;  ffi  last  n  bits  of  CT,  where  «=64  if  DBS,  «=80  if  Skipjack 
PTq  =  CT9999 


MOVS:  Check  lUT's  output  for  correctness 


Figure  5.6  The  Modes  Test  for  the  Encryption  Process  -  ECB  Mode 

As  summarized  in  Figure  5.6,  the  Modes  test  for  the  ECB  Encryption  Process  shall  be 
performed  as  follows: 

1.       The  MOVS  shall: 

a.        Initialize  the  KEY  and  plaintext  PT  variables.  The  PT  shall  consist  of  64  bits, 


while  the  KEY  length  shall  be  dependent  on  the  algorithm  implemented  by  the 


lUT. 


b. 


Forward  this  information  to  the  lUT  using  Input  Type  1 . 


2. 


The 


lUT  shall  perform  the  following  for  i=  0  through  399: 


a. 


Record  the  current  values  of  the  outer  loop  number  i,  KEYj ,  and  PT, 
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b.  Perfonn  the  following  for  j=0  through  9999: 

1.        Set  the  input  block  IBj  equal  to  the  value  of  PTj,  i.e.,  (IBL,  IB2 , IB64  ) 
=  (PTlj,PT2j,...,PT64j). 

ii.       Process  IBj  through  the  DES  or  Skipjack  algorithm  in  the  encrypt  state 
resulting  in  CTj. 

ill.      Prepare  for  loop  j+1  by  assigning  PT^+i  with  the  current  value  of  CTj,  i.e., 
(PTlj,„  PT2j,„  ...  PT64j,,)  =  (CTlj,  CT2^, 0X64^). 

c.  Record  CTj . 

d.  Forward  all  recorded  information  for  this  loop,  as  specified  in  Output  Type  1 ,  to 
the  MOVS. 

e.  Assign  a  new  value  to  KEY  in  preparation  for  the  next  outer  loop  The  new 
KEY  shall  be  calculated  by  exclusive-ORing  the  current  KEY  with  the  current 
CT.  For  lUTs  of  the  DES  algorithm,  this  shall  equate  to  (KEYli+„  KEYlj+i, ... 
KEY64,^i)  =  (KEYl,©CTl9999,  KEY2ieCT29999, ...  KEY64ieCT649999). 

For  lUTs  of  the  Skipjack  algorithm,  CT  shall  be  expanded  in  length  to  80  bits 
(the  length  of  a  Skipjack  key)  before  the  new  KEY  can  be  formed.  This 
expansion  shall  be  accomplished  by  concatenating  the  1 6  rightmost  bits  of  the 
previous  CT  (CTgggg)  with  the  64  bits  of  the  current  CT  (CT9999).  This  value  shall 
then  be  exclusive-ORed  with  the  current  KEY  to  form  the  new  KEY,  i.e., 
(KEYli+i,  KEY2i^„  ...  KEYSOi^,)  =  (KEYli©CT499998,  KEY2i®CT5  09998, ... 
KEY16,eCT649998,  KEY  17i®CTl 9999,  KEY18i®CT29999, ...  KEY80,©CT649999). 

f.  Assign  a  new  value  to  PT  in  preparation  for  the  next  outer  loop.  PTq  shall  be 
assigned  the  value  of  the  current  CT,  i.e.,  (PTlp,  PT2o,...,PT64o)  =  (CTI9999, 
CT29999,...,CT649999).  (Notc  that  the  new  PT  shall  be  denoted  as  PTo  to  be  used 
for  the  first  pass  through  the  inner  loop  when  j=0.) 

NOTE:  The  output  from  the  lUT  for  this  test  shall  consist  of  400  output  strings.  Each 
output  string  shall  consist  of  information  included  in  Output  Type  1 . 

3.       The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values. 
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5.1.2  Decryption  Process 


The  process  of  validating  an  lUT  for  the  ECB  mode  of  the  DES  algorithm  which  implements 
the  decryption  process  shall  involve  the  successful  completion  of  the  following  six  tests: 


1 .  The  Variable  Ciphertext  Known  Answer  Test 

2.  The  Initial  Permutation  Known  Answer  Test 

3.  The  Variable  Key  Known  Answer  Test  for  the  Decryption  Process 

4.  The  Permutation  Operation  Known  Answer  Test  for  the  Decryption  Process 

5.  The  Substitution  Table  Known  Answer  Test  for  the  Decryption  Process 

6.  The  Modes  Test  for  the  Decryption  Process 

The  validation  process  for  an  lUT  of  the  Skipjack  algorithm  using  the  ECB  mode  of  operation 
in  the  decryption  process  shall  require  the  successful  completion  of  tests  1,  2,  3,  and  6  only. 

An  explanation  of  the  tests  follows. 
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5.1.2.1  The  Variable  Ciphertext  Known  Answer  Test  -  ECB  Mode 


MOVS:  Initialize  KEY:    If  DES,  KEY=01010I0101010101  (odd  parity  set) 

If  Skipjack,  KEY=000000O000O0000000O0 

If  encryption  is  svtpported  by  lUT: 

Send  KEY 
If  encryption  is  not  supported  by  lUT: 

Initialize  CT  values:  If  DES,  use  values  in  Appendix  B,  Table  1 

If  Skipjack,  use  values  in  Appendix  B,  Table  5 

Send  KEY,  64,  CT„  CT2,...CT64 

lUT:      If  encryption  is  supported  by  lUT: 

Initialize  CT,  =  first  value  from  output  of  Variable  Plaintext  Known  Answer  test. 
Otherwise,  use  the  first  value  received  fi-om  the  MOVS. 

FOR  i  =  1  to  64 
{ 

IBi  =  CT, 

Perform  algorithm  in  decrypt  state,  resulting  in  PT; 
Send  i,  KEY,  CT^,  PTj 
If  encryption  is  supported: 

CTi+i=  corresponding  CTj+,  fi-om  output  of  Variable  Plaintext  Known  Answer 

test 

else 

CTj+i=  the  corresponding  CTj+i  value  fi-om  MOVS 

} 

MOVS:  Compare  results  fi-om  each  loop  with  known  answers 


Figure  5.7  The  Variable  Ciphertext  Known  Answer  Test  -  ECB  Mode 


As  summarized  in  Figure  5.7,  the  Variable  Ciphertext  Known  Answer  test  for  the  ECB  Mode  of 
Operation  shall  be  performed  as  follows: 

1.  The  MOVS  shall: 

a.  Initialize  the  KEY  parameter  to  the  constant  hexadecimal  value  0.  For  lUTs  of 
the  DES  algorithm,  KEY^e,  =  0101010101010101.  Note  that  the  significant 
bits  are  set  to  "0"  and  the  parity  bits  are  set  to  "  1 "  to  make  odd  parity.  For  lUTs 
of  the  Skipjack  algorithm,  KEY^e,  =  00  00  00  00  00  00  00  00  00  00. 

b.  If  the  lUT  implements  the  DES  algorithm  and  it  does  not  support  encryption, 
initialize  the  64  ciphertext  CT  values  with  the  64  constant  CT  values  from 
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Appendix  B,  Table  1.  Likewise,  if  the  lUT  is  of  the  Skipjack  algorithm,  and  it 
does  not  support  encryption,  initialize  the  64  ciphertext  CT  values  with  the  64 
constant  CT  values  from  Appendix  B,  Table  5. 


c.        If  encryption  is  supported  by  the  lUT,  forward  the  KEY  to  the  lUT  using  Input 
Type  4.  If  encryption  is  not  supported  by  the  lUT,  forward  the  KEY  and  64  CT 
values  to  the  lUT  using  Input  Type  3. 

2.  The  lUT  shall: 

a.  If  encryption  is  supported,  initialize  the  CT  value  with  the  first  CT  value  retained 
from  the  Variable  Plaintext  Known  Answer  test  for  the  ECB  Mode  (Section 
5.1.1.1).  Otherwise,  use  the  first  value  received  from  the  MOVS. 

b.  Perform  the  following  for  i=l  through  64: 

i.  Set  the  input  block  IBj  equal  to  the  value  of  CTj,  i.e.,  (IBli,IB2j,...,IB64i) 
=  (CTl,CT2i,...,CT64,). 

ii.  Process  IBj  through  the  DES  or  Skipjack  algorithm  in  the  decrypt  state, 
resulting  in  plaintext  PTj. 

iii.  Forward  the  current  values  of  the  loop  number  i,  KEY,  CTi,  and  the 
resulting  PTj  to  the  MOVS  as  specified  in  Output  Type  1 . 

iv.  Retain  PTj  for  use  with  the  Initial  Permutation  Known  Answer  test  for  the 
ECB  mode  (Section  5.1.2.2). 

V.       If  encryption  is  supported,  set  CTi+,  equal  to  the  corresponding  output 
from  the  Variable  Plaintext  Known  Answer  test  for  the  ECB  mode.  If 
encryption  is  not  supported,  assign  a  new  value  to  CTj+,  by  setting  it 
equal  to  the  corresponding  CTj+i  value  supplied  by  the  MOVS. 

NOTE:  The  output  from  the  lUT  for  this  test  shall  consist  of  64  output  strings.  Each 
output  string  shall  consist  of  information  included  in  Output  Type  1 . 

3.  The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values. 
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5.1.2.2  The  Initial  Permutation  Known  Answer  Test  -  ECB  Mode 


MOVS:  Initialize  KEY:    If  DES,  KEY=0101010101010I01  (odd  parity  set) 

If  Skipjack,  KEY=000OO000O000000OO00O 

CT,  (where  i=l-64)  =  64  PT  values  from  Variable  Ciphertext  Known  Answer  test 
Send  KEY,  64,  CT„  CT2,...CT64 

lUT:      Initialize  CT,  =  first  value  from  output  of  Variable  Ciphertext  Known  Answer  test. 

FOR  i  =  1  to  64 

{ 

IBi  =  CT; 

Perform  algorithm  in  decrypt  state,  resulting  in  PT, 
Send  i,  KEY,  CTj,  PT, 

CTj+,=  the  corresponding  CT,+,  value  from  MOVS 


MOVS:  Compare  results  from  each  loop  with  known  answers.  For  DES,  use  Appendix  B,  Table  1.  For 
Skipjack,  use  Appendix  B,  Table  5. 


Figure  5.8  The  Initial  Permutation  Known  Answer  Test  -  ECB  Mode 


As  summarized  in  Figure  5.8,  the  Initial  Permutation  Known  Answer  test  for  the  ECB  Mode  of 
Operation  shall  be  performed  as  follows: 

1.  The  MOVS  shall: 

a.  Initialize  the  KEY  parameter  to  the  constant  hexadecimal  value  0.  For  lUTs  of 
the  DES  algorithm,  KEY^ex  =  0101010101010101.  Note  that  the  significant 
bits  are  set  to  "0"  and  the  parity  bits  are  set  to  "  1 "  to  make  odd  parity.  For  lUTs 
of  the  Skipjack  algorithm,  KEY^ex  =  00  00  00  00  00  00  00  00  00  00. 

b.  Initialize  the  64  CT  values  with  the  64  PT  values  obtained  from  the  Variable 
Ciphertext  Known  Answer  test. 

c.  Forward  the  KEY  and  the  64  CT  values  to  the  lUT  using  Input  Type  3. 

2.  The  lUT  shall  perform  the  following  for  i=l  through  64: 

a.       Set  the  input  block  IBj  equal  to  the  value  of  CTj,  i.e.,  (IBli,IB2i,...,IB64i)  = 
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(CTl„CT2„...,CT64i). 

b.  Process  IBj  through  the  DES  or  Skipjack  algorithm  in  the  decrypt  state,  resuhing 
in  plaintext  PTj. 

c.  Forward  the  current  values  of  the  loop  number  i,  KEY,  CT^,  and  the  resulting  PTj 
to  the  MOVS  as  specified  in  Output  Type  1 . 

d.  Set  CTi+i  equal  to  the  corresponding  CTj+,  value  supplied  by  the  MOVS. 

NOTE:  The  output  from  the  lUT  for  this  test  shall  consist  of  64  output  strings.  Each 
output  string  shall  consist  of  information  included  in  Output  Type  1 . 

The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values. 
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5.1.2.3  The  Variable  Key  Known  Answer  Test  for  the  Decryption  Process  -  ECB  Mode 


MOVS:  Initialize  KEY,:   If  DES,  KEY,  =  8001010101010101  (odd  parity) 
If  Skipjack,  KEY,  =  80000000000000000000 

If  encryption  is  supported  by  the  lUT: 

Send  KEY, 
If  encryption  is  not  supported  by  the  lUT: 

Initialize  CT  values:  If  DES,  initialize  CT  values  with  values  in  Appendix  B,  Table  2 
If  Skipjack,  initialize  CT  values  with  values  in  Appendix  B, 
Table  6 

Send      KEY,,  n  (where  «=64  if  DES,  80  if  Skipjack),  CT„  CT2,...,CT„ 

JUT:      If  encryption  is  supported  by  the  lUT: 

Initialize  CT,  =  first  value  from  output  of  Variable  Key  Known  Answer  test  for  the 
Encryption  Process  for  the  ECB  Mode. 
Otherwise,  use  the  first  value  received  from  the  MOVS. 

FOR  i  =  1  to  «,  where  n  =  64  if  DES,  80  if  Skipjack 

{ 

IF  (algorithm  =  SKIPJACK)  {process  every  bit} 
OR 

(algorithm  =  DES  AND  i  %8  !=  0) 

{process  every  bit  except  parity  bits} 

{ 

IB,  =  CT, 

Perform  algorithm  in  decrypt  state,  resulting  in  PT, 

Send  i,  KEY,,  CT,,  PT, 

KEYj+,  =  vector  consisting  of  "0"  in  every 

significant  bit  position  except  for  a  single  "  1 "  bit  in  position 

i+1.  Note  that  odd  parity  is  set. 
If  encryption  is  supported  by  the  lUT: 

CT,+,=  corresponding  CT,+,  from  output  of  Variable  Key 

Known  Answer  test  for  the  Encryption  Process  for  the  ECB 

Mode 

else 

CTi+,=  corresponding  CT,^.,  from  MOVS 

} 

} 

MOVS:  Compare  results  of  the  n  decryptions  with  known  answers 


Figure  5.9  The  Variable  Key  Known  Answer  Test  for  the  Decryption  Process  -  ECB 
Mode 
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Figure  5.9  illustrates  the  Variable  Key  Known  Answer  test  for  the  ECB  Decryption  Process. 

1.  TheMOVS  shall: 

a.  Initialize  the  KEY,  to  contain  "0"  in  every  significant  bit  except  for  a  "  1 "  in  the 
first  position.  For  example,  if  validating  an  lUT  of  the  DES  algorithm,  the  64  bit 
KEY,  bin  =  1000000  00000001  00000001  00000001  00000001  00000001 
00000001  00000001.  The  equivalent  of  this  value  in  hexadecimal  notation  is  80 
01010101010101.  Note  that  the  parity  bits  are  set  to  "0"  or  "1"  to  set  odd 
parity. 

If  validating  an  lUT  of  the  Skipjack  algorithm,  the  80  bit  KEY,    =  10000000 
00000000  00000000  00000000  00000000  00000000  00000000  00000000 
00000000  00000000.  The  equivalent  of  this  value  in  hexadecimal  notation  is  80 
00  00  00  00  00  00  00  00  00. 

b.  If  the  lUT  implements  the  DES  algorithm  and  encryption  is  not  supported, 
initialize  CT,  values  with  the  56  constant  CT  values  from  Appendix  B,  Table  2. 
If  the  lUT  implements  the  Skipjack  algorithm,  and  encryption  is  not  supported, 
initialize  CT,  values  with  the  80  constant  CT  values  from  Appendix  B,  Table  6. 

c.  If  encryption  is  not  supported  by  the  lUT,  forward  KEY  and  the  CT  values  to  the 
lUT  using  Input  Type  3.  Otherwise,  forward  the  KEY  to  the  lUT  using  Input 
Type  4. 

2.  The  lUT  shall: 

a.  If  encryption  is  supported,  initialize  the  CT  value  with  the  first  CT  value  retained 
from  the  Variable  Key  Known  Answer  test  for  the  Encryption  Process  for  the 
ECB  Mode  (Section  5.1.1 .3).  Otherwise,  use  the  first  value  received  from  the 
MOVS. 

b.  Perform  the  following  for  i=l  to  «,  where  n  =  56  for  DES  or  80  for  Skipjack: 

i.  Set  the  input  block  IB,  equal  to  the  value  of  CTj,  i.e.,  (IBlj,  IB2i,...,  IB64i) 
=  (CTli,  CT2„...,CT64i). 

ii.  Process  IBj  through  the  DES  or  Skipjack  algorithm  in  the  decrypt  state, 
.  resulting  in  plaintext  PTj. 

iii.  Forward  the  current  values  of  the  loop  number  i,  KEY,,  CTj,  and  the 
resulting  PTj  to  the  MOVS  as  specified  in  Output  Type  1 . 
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iv. 


Set  KEYj+,  equal  to  the  vector  consisting  of  "0"  in  every  significant  bit 
position  except  for  a  single  "  1 "  bit  in  position  i+1 .  The  parity  bits  are  set 
for  odd  parity. 


If  encryption  is  supported,  set  CTj+,  equal  to  the  corresponding  CTj+i 
value  retained  from  the  Variable  Key  Known  Answer  test  for  the 
Encryption  Process  for  ECB  mode.  If  encryption  is  not  supported  by  the 
lUT,  set  CTj+i  equal  to  the  corresponding  CTi+,  value  supplied  by  the 
MOVS. 


NOTE:  The  output  from  the  lUT  for  this  test  shall  consist  of  56  output  strings  if  DES  is 
implemented  or  80  output  strings  if  Skipjack  is  implemented.  Each  output  string  shall 
consist  of  information  included  in  Output  Type  1 . 

The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values. 
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5.1.2.4  Permutation  Operation  Known  Answer  Test  for  Decryption  Process  -  ECB  Mode 

NOTE:  This  test  shall  only  be  performed  for  lUTs  of  the  DES  algorithm. 


MOVS:  Initialize  KEYj  (where  i=  1-32)  =  KEY  values  in  Appendix  B,  Table  3 

If  encryption  is  supported  by  the  lUT: 

Send  32,  KEY,,  KEYj,...,  KEY32 
If  encryption  is  not  supported  by  the  lUT; 

Initialize  CT|  (where  i=l-32)  =  corresponding  CT  values  in  Table  3 

Send  32,  KEY,,  CT„  KEY2,  CT2,...,KEY32,  CT32 

lUT:      If  encryption  is  supported  by  the  lUT: 

Initialize  CT,  =  first  value  retained  from  Permutation  Operation  Known  Answer  test  for 
the  Encryption  Process  for  the  ECB  Mode. 
Otherwise,  use  the  first  values  received  from  the  MOVS. 

FOR  i  =  1  to  32 
{ 

IBi  =  CT, 

Perform  DES  algorithm  in  decrypt  state  using  KEY,,  resulting  in  PT, 
Send  i,  KEY;,  CT,,  PT, 

KEYj+i  =  corresponding  KEY  supplied  by  MOVS 

If  encryption  is  supported  by  the  lUT: 

CTi+,=  the  corresponding  CTi+,  retained  Irom  Permutation  Operation  Known 
Answer  test  for  the  Encryption  Process  for  the  ECB  Mode 

else 

CTi+,=  the  corresponding  CT,+,  from  MOVS 

} 

MOVS:  Compare  results  from  each  loop  with  known  answers 


Figure  5.10  The  Permutation  Operation  Known  Answer  Test  for  the  Decryption  Process 
-  ECB  Mode 


As  summarized  in  Figure  5.10,  the  Permutation  Operation  Known  Answer  test  for  the  ECB 
Decryption  Process  shall  be  performed  as  follows: 

1.       The  MOVS  shall: 

a.        If  the  lUT  supports  encryption,  initialize  the  KEY  values  with  the  32  constant 
KEY  values  supplied  from  Table  3.  If  the  lUT  does  not  support  encryption, 
initialize  the  KEY-ciphertext  (KEY-CT)  pairs  with  the  32  constant  KEY-CT 
pairs  from  Appendix  B,  Table  3. 
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b.       If  encryption  is  supported  by  the  lUT,  forward  the  32  KEY  values  using  Input 

Type  10.  If  encryption  is  not  supported  by  the  lUT,  forward  the  32  KEY  and  CT 
pairs  to  the  lUT  using  Input  Type  9. 


The  lUT  shall: 

a.  If  encryption  is  supported  by  the  lUT,  initialize  the  CT  value  with  the  first  CT 
value  retained  from  the  Permutation  Operation  Known  Answer  test  for  the 
Encryption  Process  for  the  ECB  Mode  (Section  5.1.1 .4).  Otherwise,  use  the  first 
value  received  from  the  MOVS. 

b.  Perform  the  following  for  i  =  1  to  32: 

i.  Set  the  input  block  IBj  equal  to  the  value  of  CTj,  i.e, 
(IBlj,IB2i,...IB64i)=(CTli,CT2„...,  CT64,). 

ii.  Using  the  corresponding  KEY;,  process  IBj  through  the  DES  algorithm  in 
the  decrypt  state,  resulting  in  plaintext  PTj. 

iii.  Forward  the  current  values  of  the  loop  number  i,  KEYj,  CT;,  and  the 
resulting  PTj  to  the  MOVS  as  specified  in  Output  Type  1 . 

iv.  Assign  a  new  value  to  KEYi+,  by  setting  it  equal  to  the  corresponding 
KEY  value  supplied  by  the  MOVS. 

V.       If  encryption  is  supported,  set  CTi+,  equal  to  the  corresponding  CT  value 
retained  from  the  Permutation  Operation  Known  Answer  test  for  the 
Encryption  Process  for  ECB  mode.  If  encryption  is  not  supported,  set 
CTj+i  equal  to  the  corresponding  CT  value  supplied  by  the  MOVS. 

NOTE:  The  above  processing  shall  continue  until  all  32  KEY-CT  values  are  passed  as 
specified  in  Input  Type  9  or  all  32  KEY  values  are  passed  as  specified  in  Input  Type  10. 
The  output  from  the  lUT  for  this  test  shall  consist  of  32  output  strings.  Each  output 
string  shall  consist  of  information  included  in  Output  Type  1 . 


The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values. 
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5.1.2.5  Substitution  Table  Known  Answer  Test  for  the  Decryption  Process  -  ECB  Mode 

NOTE:  This  test  shall  only  be  performed  for  lUTs  of  the  DBS  algorithm. 


MOVS:  Initialize  KEY;  (where  i=  1  - 1 9)  =  KEY  values  in  Appendix  B,  Table  4 

If  encryption  is  supported  by  the  lUT: 

Send  19,  KEY,,  KEY2,...,KEY,9 
If  encryption  is  not  supported  by  the  lUT: 

Initialize  CTi  (where  i=l-19)  =  corresponding  CT  values  in  Table  4 

Send  19,  KEY,,  CT„  KEY2,  CT2,...,KEY,9,  CT,, 

lUT:      If  encryption  is  supported  by  the  lUT: 

Initialize  CT,  =  first  value  from  output  of  Substitution  Table  Known  Answer  test  for  the 

Encryption  Process  for  the  ECB  Mode. 

Otherwise,  use  the  first  value  received  from  the  MOVS. 


FORi=  1  to  19 

{ 


IB;  =  CT, 

Perform  DES  algorithm  in  decrypt  state  using  KEY,,  resulting  in  PT, 
Send  i,  KEY,,  CT„  PTj 

KEYj+i  =  corresponding  KEYi+,  supplied  by  MOVS 

If  encryption  is  supported 

CT,+,=  corresponding  CTi+,  from  output  of  Substitution  Table  Known 
Answer  test  for  the  Encryption  Process  for  the  ECB  Mode 

else 

CTi+,=  the  corresponding  CTi+,  from  MOVS 


} 

MOVS:  Compare  results  from  each  loop  with  known  answers 


Figure  5.11  The  Substitution  Table  Known  Answer  Test  for  the  Decryption  Process 
ECB  Mode 


Figure  5.1 1  illustrates  the  Substitution  Table  Known  Answer  test  for  the  ECB  Decryption 
Process. 

1.       The  MOVS  shall: 

a.        If  the  lUT  supports  encryption,  initialize  the  KEY  values  with  the  19  constant 
KEY  values  supplied  from  Appendix  B,  Table  4.  If  the  lUT  does  not  support 
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encryption,  initialize  the  KEY-ciphertext  (KEY-CT)  pairs  with  the  19  constant 
KEY-CT  pairs  from  Appendix  B,  Table  4. 


b.       If  encryption  is  supported  by  the  lUT,  forward  the  1 9  KEY  values  using  Input 
Type  10.  Forward  the  19  KEY-CT  pairs  to  the  lUT  using  Input  Type  9  if 
encryption  is  not  supported  by  the  lUT. 

The  lUT  shall:  ■ 

a.  If  encryption  is  supported,  initialize  the  CT  value  with  the  first  CT  value  retained 
from  the  Substitution  Table  Known  Answer  test  for  the  Encryption  Process  for 
the  ECB  Mode  (Section  5.1.1 .5).  Otherwise,  use  the  first  value  received  from 
the  MOVS. 

b.  Perform  the  following  for  i  =  1  to  19: 

i.  Set  the  input  block  IBj  equal  to  the  value  of  CTj,  i.e,  (IBli,IB2  ,...IB64 )  = 
(CTl,CT2„...,CT64i). 

ii.  Using  the  corresponding  KEYj,  process  IBj  through  the  DES  algorithm  in 
the  decrypt  state,  resulting  in  plaintext  PTj. 

iii.  Forward  the  current  values  of  the  loop  number  i,  KEYj,  CT„  and  the 
resuhing  PTj  to  the  MOVS  as  specified  in  Output  Type  1 . 

iv.  Set  KEYj+i  equal  to  the  corresponding  KEY  supplied  by  MOVS. 

v.  If  encryption  is  supported,  set  CTi+,  equal  to  the  corresponding  CT  value 
retained  from  the  Substitution  Table  Known  Answer  test  for  the 
Encryption  Process  for  the  ECB  mode.  If  encryption  is  not  supported,  set 
CTj+,  equal  to  the  corresponding  CT  value  supplied  by  the  MOVS. 

NOTE:  The  above  processing  shall  continue  until  all  19  KEY-CT  pairs,  as  specified  in 
Input  Type  9,  or  all  19  KEY  values,  as  specified  in  Input  Type  10,  are  processed.  The 
output  from  the  lUT  for  this  test  shall  consist  of  19  output  strings.  Each  output  string 
shall  consist  of  information  included  in  Output  Type  1 . 

The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values. 
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5.1.2.6  Modes  Test  for  the  Decryption  Process  -  ECB  Mode 


MOVS:  Initialize  KEYq,  CTq 

Send  KEYo,  CTq 

lUT:      FOR  i  =  0  TO  399 

{ 

Record  i,  KEY,,  CTq 
FORj  =  0TO  9,999 
{ 

IBj  =  CTj 


Perform  algorithm  in  decrypt  state,  resulting  in  PTj 


} 


Record  FTj 


Sendi,  KEY;,  CTo,  PTj 

KEY^i  =  KEYi  ®  last  n  bits  of  FT, 

where  «=64  if  DBS  and  «=80  if  Skipjack 

CTq  =  FT9999 


} 

MOVSrCheck  lUT's  output  for  correctness 


Figure  5.12  The  Modes  Test  for  the  Decryption  Process  -  ECB  Mode 

Figure  5.12  illustrates  the  Modes  test  for  the  ECB  Decryption  Process. 

1.  The  MOVS  shall: 

a.  Initialize  KEY  and  ciphertext  CT  variables.  The  CT  shall  consist  of  64  bits, 
while  the  KEY  length  shall  be  dependent  on  the  algorithm  implemented  by  the 
lUT. 

b.  Forward  these  values  to  the  lUT  using  Input  Type  1 . 

2.  The  lUT  shall  perform  the  following  for  i=0  through  399: 

a.  Record  the  current  values  of  the  outer  loop  number  i,  the  KEYj,  and  the  CTq. 

b.  Perform  the  following  for  j=0  through  9999: 

i.      Set  the  input  block  IBj  equal  to  the  value  of  CTj,  i.e.,  (IBlj,  IB2j,  „., 
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IB64j)  =  (CTlj,  CT2j,...,  CT64j). 

ii.  Process  IBj  through  the  DES  or  Skipjack  algorithm  in  the  decrypt  state, 
resuhing  in  plaintext  PTj. 

iii.  Prepare  for  loop  j+1  by  assigning  CTj+,  with  the  current  value  of  PTj,  i.e., 
(CT1^,„  CT2j,„  ...  CT6V,)  =  (PTlj,  PT2j, PT64j). 

c.  Record  the  PTj . 

d.  Output  all  recorded  information  for  this  loop  as  specified  in  Output  Type  1 . 

e.  Assign  a  new  value  to  the  KEY  in  preparation  for  the  next  outer  loop.  The  new 
KEY  shall  be  calculated  by  exclusive-ORing  the  current  KEY  with  the  current 
PT.  For  lUTs  of  the  DES  algorithm,  this  shall  equate  to  (KEYl,^,,  KEY2i+„  ... 
KEY64,^,)  =  ( (KEY IjePTl 9999,  KEY2i©PT29999, ...  KEY64iePT649999). 

For  lUTs  for  the  Skipjack  algorithm,  the  PT  shall  be  expanded  in  length  to  80 
bits  (the  length  of  a  Skipjack  key)  before  the  new  KEY  can  be  formed.  This 
expansion  shall  be  accomplished  by  concatenating  the  1 6  rightmost  bits  of  the 
previous  PT  (PT999g)  with  the  64  bits  of  the  current  PT  (PT9999).  This  value  shall 
then  be  exclusive-ORed  with  the  current  KEY  to  form  the  new  KEY,  i.e., 
(KEYli.,,,  KEY2i^„  ...  KEY80i^,)  =  (KEYli©PT499998,  KEY2,©PT509998, ... 
KEY16i©PT649998,  KEY  17i©PTl 9999,  KEY18i©PT29999, ...  KEY80i®PT649999). 

f.  Assign  a  new  value  to  CT  in  preparation  for  the  next  outer  loop.  CTq  shall  be 
assigned  the  value  of  the  current  PT,  i.e.,  (CTIq,  CT2o,...,CT64o)  =  (PTI9999, 
PT29999,...,PT649999).  (Notc  that  the  new  CT  shall  be  denoted  as  CTq  to  be  used 
for  the  first  pass  through  the  inner  loop  when  j=0.) 

NOTE:  The  output  from  the  lUT  for  this  test  shall  consist  of  400  output  strings 
consisting  of  information  included  in  Output  Type  1. 

3.       The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values. 
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5.2  Cipher  Block  Chaining  (CBC)  Mode 


The  lUTs  for  the  DES  or  Skipjack  algorithm  in  the  Cipher  Block  Chaining  (CBC)  mode  shall 
be  validated  by  successfully  completing  a  series  of  Known  Answer  tests  and  Modes  tests 
corresponding  to  the  cryptographic  processes  allowed  by  the  lUT. 

5.2.1  Encryption  Process 

The  process  of  validating  an  lUT  for  the  DES  algorithm  which  implements  the  encryption 
process  of  the  CBC  mode  of  operation  shall  involve  the  successful  completion  of  the  following 
six  tests: 

1 .  The  Variable  Plaintext  Known  Answer  Test  -  CBC  mode 

2.  The  Inverse  Permutation  Known  Answer  Test  -  CBC  mode 

3.  The  Variable  Key  Known  Answer  Test  for  the  Encryption  Process  -  CBC  mode 

4.  The  Permutation  Operation  Known  Answer  Test  for  the  Encryption  Process  -  CBC 
mode 

5.  The  Substitution  Table  Known  Answer  Test  for  the  Encryption  Process  -  CBC  mode 

6.  The  Modes  Test  for  the  Encryption  Process  -  CBC  mode 

The  validation  process  for  an  lUT  of  the  Skipjack  algorithm  which  implements  the  encryption 
process  of  the  CBC  mode  of  operation  shall  require  the  successful  completion  of  tests  1,  2,  3, 
and  6  only. 

An  explanation  of  the  tests  follows. 
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5.2.1.1  The  Variable  Plaintext  Known  Answer  Test  -  CBC  Mode 


MOVS:  Initialize  KEY:     If  DES,  KEY  =  0101010101010101  (odd  parity  set) 

If  Skipjack,  KEY  =  00000000000000000000 
IV  =  0000000000000000 
PT,  =  8000000000000000 
Send  KEY,  IV,  PT, 

lUT:      FOR  i  =  1  to  64 
{ 

IBi=  PT.e  IV 

Perform  algorithm  in  encrypt  state,  resulting  in  CT, 
Send  i,  KEY,  IV,  PT„  CT, 

PTj+,  =  basis  vector  where  single  "  1 "  bit  is  in  position  i+1 

} 

MOVS:  Compare  results  from  each  loop  with  known  answers 

If  DES,  use  Appendix  B,  Table  1.  If  Skipjack,  use  Appendix  B,  Table  5. 


Figure  5.13  The  Variable  Plaintext  Known  Answer  Test  -  CBC  Mode 


Figure  5.13  illustrates  the  Variable  Plaintext  Known  Answer  test  for  the  CBC  mode. 
1.       The  MOVS  shall: 

a.  Initialize  the  KEY  parameter  to  the  constant  hexadecimal  value  0.  For  lUTs  of 
the  DES  algorithm,  the  KEY^e,  =  0101010101010101.  Note  that  the 
significant  bits  are  set  to  "0"  and  the  parity  bits  are  set  to  "1"  to  make  odd  parity. 

For  lUTs  of  the  Skipjack  algorithm,  the  KEY^e,  =  00  00  00  00  00  00  00  00  00 
00. 

b.  Initialize  the  64  bit  IV  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  TV^^^ 
=  00  00  00  00  00  00  00  00. 

c.  Initialize  the  64  bit  plaintext  PT,  to  the  basis  vector  containing  a  "  1 "  in  the  first 
bit  position  and  "0"  in  the  following  63  positions,  i.e.,  PT,    =  10000000 
00000000  00000000  00000000  00000000  00000000  00000000  00000000.  The 
equivalent  of  this  value  in  hexadecimal  notation  is  80  00  00  00  00  00  00  00. 

d.  Forward  this  information  to  the  lUT  using  Input  Type  2. 
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2. 


The  lUT  shall  perform  the  following  for  i  =  1  through  64: 


a.  Calculate  the  input  block  IBj  by  exclusive-ORing  PTj  with  IV,  i.e., 
(IBli,IB2i,...IB64i)  =  (PTli®IVl,PT2i®IV2,...,  PT64j©IV64). 

b.  Process  IB;  through  the  DES  or  Skipjack  algorithm  in  the  encrypt  state,  resulting 
in  ciphertext  CTj. 

0.       Forward  the  current  values  of  the  loop  number  i,  KEY,  IV,  PTj,  and  the  resulting 
CTj  to  the  MOVS  as  specified  in  Output  Type  2. 

d.  Retain  CTj  for  use  with  the  Inverse  Permutation  Known  Answer  test  for  the  CBC 
Mode  of  Operation  (Section  5.2.1.2),  and,  if  the  lUT  supports  decryption,  for  use 
with  the  Variable  Ciphertext  Known  Answer  test  for  the  CBC  Mode  (Section 
5.2.2.1). 

e.  Assign  a  new  value  to  PTi+,  by  setting  it  equal  to  the  value  of  a  basis  vector  with 
a  "1"  bit  in  position  i+1,  where  i+l=2..64. 


NOTE:  This  continues  until  every  possible  basis  vector  has  been  represented  by  the  PT, 
i.e.  64  times.  The  output  from  the  lUT  shall  consist  of  64  output  strings.  Each  output 
string  shall  consist  of  information  included  in  Output  Type  2. 

3.       The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 

results  to  known  values  found  in  Appendix  B,  Table  1  for  DES  or  Table  5  for  Skipjack. 
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5.2.1.2  The  Inverse  Permutation  Known  Answer  Test  -  CBC  Mode 


MOVS:  Initialize  KEY:     If  DES,  KEY  =  0101010101010101  (odd  parity  set) 

If  Skipjack,  KEY  =  00000000000000000000 
IV  =  0000000000000000 

PTi  (where  i=l-64)  =  64  CT  values  from  the  Variable  Plaintext  Known  Answer 
test 

Send  KEY,  IV,  64,  PT,..PT64 

lUT:  FORi=lto64 
{ 

IB.=  PTj®  IV 

Perform  algorithm  in  encrypt  state,  resulting  in  CT; 

Send  i,  KEY,  IV,  PTi,  CT; 

PT^i  =  corresponding  PTi+,  from  MOVS 

} 

MOVS:  Compare  results  from  each  loop  with  known  answers 
Should  be  the  set  of  basis  vectors 


Figure  5.14  The  Inverse  Permutation  Known  Answer  Test  -  CBC  Mode 


Figure  5.14  illustrates  the  Inverse  Permutation  Known  Answer  test  for  the  CBC  mode. 
1.       The  MOVS  shall: 

a.  Initialize  the  KEY  parameter  to  the  constant  hexadecimal  value  0.  For  lUTs  of 
the  DES  algorithm,  the  KEY^e,  =  0101010101010101.  Note  that  the 
significant  bits  are  set  to  "0"  and  the  parity  bits  are  set  to  "1"  to  make  odd  parity. 

For  lUTs  of  the  Skipjack  algorithm,  the  KEY^ex  =  00  00  00  00  00  00  00  00  00 
00. 

b.  Initialize  the  64  bit  IV  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  IV^e^ 
=  00  00  00  00  00  00  00  00. 

c.  Initialize  the  64  bit  plaintext  values  PTj  (where  i=l-64)  to  the  CTj  results 
obtained  from  the  Variable  Plaintext  Known  Answer  test. 

d.  Forward  this  information  to  the  lUT  using  Input  Type  5. 


2.       The  lUT  shall  perform  the  following  for  i  =  1  through  64: 
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a.  Calculate  the  input  block  IBj  by  exclusive-ORing  PTj  with  IV,  i.e., 
(IBli,IB2j,...IB64i)  =  (PTlj©IVl,PT2i®IV2,...,  PT64i©IV64). 

b.  Process  IBj  through  the  DES  or  Skipjack  algorithm  in  the  encrypt  state,  resulting 
in  ciphertext  CTj. 

0.       Forward  the  current  values  of  the  loop  number  i,  KEY,  IV,  PT;,  and  the  resulting 
CTj  to  the  MOVS  as  specified  in  Output  Type  2. 

d.       Assign  a  new  value  to  PTi+,  by  setting  it  equal  to  the  corresponding  output  from 
the  Variable  Plaintext  Known  Answer  test  for  the  CBC  mode. 


NOTE:  This  processing  continues  until  all  ciphertext  values  from  the  Variable  Plaintext 
Known  Answer  test  have  been  used  as  input.  The  output  from  the  lUT  shall  consist  of 
64  output  strings.  Each  output  string  shall  consist  of  information  included  in  Output 
Type  2. 

The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values.  The  CT  values  should  be  the  set  of  basis  vectors  that  were  used 
as  plaintext  for  the  Variable  Plaintext  Known  Answer  test. 
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5.2.1.3  The  Variable  Key  Known  Answer  Test  for  the  Encryption  Process  -  CBC  Mode 


MOVS:  Initialize  KEY,:    If  DES,  KEY,  =  8001010101010101  (with  odd  parity) 

If  Skipjack,  KEY,  =  80000000000000000000 
IV  =  0000000000000000 
PT  = 0000000000000000 
Send  KEY,,  IV,  PT 


lUT:      FOR  i  =  1  to  «,  where  n  =  64  if  DES,  80  if  Skipjack 

{ 

IF  (algorithm  ==  SKIPJACK)  {process  every  bit} 
OR 

(algorithm  =  DES  AND  i  %8  !=  0) 

{process  every  bit  except  parity  bits} 

{ 

IB,  =  PT  ©  IV 

Perform  algorithm  in  encrypt  state  using  KEY^,  resulting  in  CT; 
Send  i,  KEY,,  IV,  PT,  CT, 

KEYj+i  =  vector  consisting  of  "0"  in  every  significant  bit  position 
except  for  a  single  "1"  bit  in  position  i+1.  Note  that  parity  bits  are 
"0"  or  "  1 "  to  make  the  KEY  odd  parity. 

} 


MOVS:  Compare  results  of  the  n  encryptions  with  known  answers 

For  DES,  use  Appendix  B,  Table  2.  For  Skipjack,  use  Appendix  B,  Table  6. 


Figure  5.15  The  Variable  Key  Known  Answer  Test  for  the  Encryption  Process  -  CBC 
Mode 


As  summarized  in  Figure  5.15,  the  Variable  Key  Known  Answer  test  for  the  CBC  Encryption 
Process  shall  be  performed  as  follows: 

1.       The  MOVS  shall: 

a.        Initialize  KEY,  to  contain  "0"  in  every  significant  bit  except  for  a  "  1 "  in  the  first 
position.  For  example,  if  validating  an  lUT  of  the  DES  algorithm,  the  64  bit 
KEY,  bin  =  10000000  00000001  00000001  00000001  00000001  00000001 
00000001  00000001.  The  equivalent  of  this  value  in  hexadecimal  notation  is  80 
01010101010101.  Note  that  the  parity  bits  are  set  to  "0"  or  "1"  to  get  odd 
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parity. 


If  validating  an  lUT  for  the  Skipjack  algorithm,  the  80  bit  KEY,    =  10000000 
00000000  00000000  00000000  00000000  00000000  00000000  00000000 
00000000  00000000.  The  equivalent  of  this  value  in  hexadecimal  notation  is  80 
00  00  00  00  00  00  00  00  00. 

b.  Initialize  the  64  bh  initialization  vector  IV  to  the  value  of  0,  i.e.,  IVhex=00  00  00 
00  00  00  00  00. 

c.  Initialize  the  64  bit  plaintext  PT  to  the  value  of  0,  i.e.,  PT^ex^OO  00  00  00  00  00 
00  00. 


d.       Forward  this  information  to  the  lUT  using  Input  Type  2. 


The  lUT  shall  perform  the  following  for  i  =  1  ton:  (NOTE:  n  equals  the  number  of 
significant  bits  in  a  DES  or  Skipjack  key.) 

a.  Calculate  the  input  block  IB^  by  exclusive-ORing  PT  with  the  IV,  i.e, 
(IBli,IB2i,...IB64i)  =  (PTl®IVl,PT2eIV2,...,PT64®IV64). 

b.  Using  the  corresponding  KEYj,  process  IBj  through  the  DES  or  Skipjack 
algorithm  in  the  encrypt  state,  resulting  in  ciphert^xt  CTj. 

c.  Forward  the  current  value  of  the  loop  number  i,  KEYj,  IV,  PT,  and  the  resulting 
CTj  to  the  MOVS  as  specified  in  Output  Type  2. 

d.  If  the  lUT  supports  decryption,  retain  CTj  for  use  with  the  Variable  Key  Known 
Answer  test  for  the  Decryption  Process  for  the  CBC  Mode  (Section  5.2.2.3). 

e.  Set  KEYj+i  equal  to  the  vector  consisting  of  "0"  in  every  significant  bit  position 
except  for  a  single  "  1 "  bit  in  position  i+1 .  The  parity  bits  are  set  for  odd  parity. 

NOTE:  The  above  processing  continues  until  every  significant  basis  vector  has  been 
represented  by  the  KEY  parameter.  The  output  from  the  lUT  for  this  test  shall  consist  of 
56  output  strings  if  DES  is  implemented  and  80  output  strings  if  Skipjack  is 
implemented.  Each  output  string  shall  consist  of  information  included  in  Output  Type 
2. 


3.       The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 

results  to  known  values  found  in  Appendix  B,  Table  2  for  DES  or  Table  6  for  Skipjack. 
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5.2.1.4  Permutation  Operation  Known  Answer  Test  for  the  Encryption  Process  -  CBC 
Mode 

NOTE:  This  test  shall  only  be  performed  for  lUTs  of  the  DES  algorithm. 


MOVS:  Initialize  KEY;  (where  i=  1-32)  =  32  KEY  values  in  Appendix  B,  Table  3 

IV  =  0000000000000000 
PT  =  0000000000000000 
Send  PT,  IV,  KEY,,  KEYj, ...  KEY32 

lUT:      FOR  i  =  1  to  32 
{ 

IBi  =  PT  ©  IV 

Perform  DES  algorithm  in  encrj^t  state  using  KEYj,  resulting  in  CT, 
Send  i,  KEY,,  IV,  PT,  CT, 
KEYi,,  =  KEYi^i  from  MOVS 

} 

MOVS:  Compare  results  with  known  answers 


Figure  5.16  The  Permutation  Operation  Known  Answer  Test  for  the  Encryption 
Process  -  CBC  Mode 

Figure  5.16  illustrates  the  Permutation  Operation  Known  Answer  test  for  the  CBC  Encryption 
Process. 

1.       The  MOVS  shall: 

a.  Initialize  KEYj,  where  i=  1  -32,  with  the  32  constant  KEY  values  from  Appendix 
B,  Table  3. 

b.  Initialize  the  64  bit  IV  to  the  value  of  0,  i.e.,  IV^e  =00  00  00  00  00  00  00  00. 

c.  Initialize  the  plaintext  PT  to  the  value  of  0,  i.e.,  PThe,=00  00  00  00  00  00  00  00. 

d.  Forward  this  information  to  the  lUT  using  Input  Type  8. 


2.       The  lUT  shall  perform  the  following  for  i  =  1  to  32: 
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a. 


Calculate  the  input  block  IBj  by  exclusive-ORing  PT  with  IV,  i.e, 
(IBli,IB2i,...IB64i)  =  (PTleIVl,PT2eIV2,...,  PT64eIV64). 


b.  Using  the  corresponding  KEYj,  process  IB;  through  the  DES  algorithm  in  the 
encrypt  state,  resulting  in  ciphertext  CT;. 

c.  Forward  the  current  value  of  the  loop  number  i,  KEYj,  IV,  PT,  and  the  resulting 
CTj  to  the  MOVS  as  specified  in  Output  Type  2. 

d.  If  the  lUT  supports  decryption,  retain  CTj  for  use  with  the  Permutation  Operation 
Known  Answer  test  for  the  Decryption  Process  for  the  CBC  mode  (Section 
5.2.2.4). 

e.  Set  KEY,+,  equal  to  the  corresponding  KEY  supplied  by  the  MOVS. 

NOTE:  The  above  processing  shall  continue  until  all  32  KEY  values  as  specified  in 
Input  Type  8  are  processed.  The  output  from  the  lUT  for  this  test  shall  consist  of  32 
output  strings.  Each  output  string  shall  consist  of  information  included  in  Output  Type 
2. 


The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values  found  in  Appendix  B,  Table  3. 
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5.2.1.5  Substitution  Table  Known  Answer  Test  for  the  Encryption  Process 

NOTE:  This  test  shall  only  be  performed  for  lUTs  of  the  DES  algorithm. 


-  CBC  Mode 


MOVS:  Initialize 


KEY;  (where  i=l-19)  =  19  KEY  values  in  Appendix  B,  Table  4 
PTj  =  (where  i=l-19)  =  19  corresponding  PT  values  in  Table  4 
IV  =  0000000000000000 
IV,  19,  KEY,,  FT,,  KEY^,  PT2,...,KEY,„  PT,, 


Send 


lUT: 


FORi 


1  to  19 


IB^  =  PT,  ®  IV 

Perform  DES  algorithm  in  encrypt  state  using  KEY,,  resulting  in  CTj 

Send  i,  KEY,,  IV,  PT^,  CT, 

KEYj^,  =  KEY,^,  from  MOVS 

PTi+,  =  corresponding  PT^+i  from  MOVS 


MOVS:  Compare  results  from  each  loop  with  known  answers 


Figure  5.17  The  Substitution  Table  Known  Answer  Test  for  the  Encryption  Process  - 


CBC  Mode 

As  summarized  in  Figure  5.17,  the  Substitution  Table  Known  Answer  test  for  the  CBC 
Encryption  Process  shall  be  performed  as  follows: 

1.  The  MOVS  shall: 

a.  Initialize  the  KEY-plaintext  (KEY-PT)  pairs  with  the  1 9  constant  KEY-PT 
values  from  Appendix  B,  Table  4. 

b.  Initialize  IV  to  the  value  of  0,  i.e.,  IVhe,=00  00  00  00  00  00  00  00. 

c.  Forward  this  information  to  the  lUT  using  Input  Type  1 1 . 

2.  The  lUT  shall  perform  the  following  for  i  =  1  to  19: 

a.       Calculate  the  input  block  IBj  by  exclusive-ORing  PTj  with  the  IV,  i.e, 
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(IBli,IB2i,...IB64i)  =  (PTli©IVl,PT2ieIV2,...,PT64i®IV64). 


b.  Using  the  corresponding  KEYj,  process  IBj  through  the  DES  algorithm  in  the 
encrypt  state,  resulting  in  ciphertext  CTj. 

c.  Forward  the  current  value  of  the  loop  number  i,  KEYj,  IV,  FTj,  and  the  resulting 
CTj  to  the  MOVS  as  specified  in  Output  Type  2. 

d.  If  the  lUT  supports  decryption,  retain  CTj  for  use  with  the  Substitution  Table 
Known  Answer  test  for  the  CBC  Decryption  Process  (Section  5.2.2.5). 

e.  Set  KEYj+i  equal  to  the  corresponding  KEY  value  supplied  by  MOVS. 

f.  Set  PTj+,  equal  to  the  corresponding  PT  value  supplied  by  MOVS. 


NOTE:  The  above  processing  continues  until  all  19  KEY-PT  pairs,  as  specified  in  Input 
Type  1 1 ,  are  processed.  The  output  from  the  lUT  for  this  test  shall  consist  of  1 9  output 
strings.  Each  output  string  shall  consist  of  information  included  in  Output  Type  2. 


The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values  found  in  Appendix  B,  Table  4. 
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5.2.1.6  Modes  Test  for  the  Encryption  Process  -  CBC  Mode 


MOVS:  Initialize  KEYq,  IV,  PTq 
Send     KEYo,  IV,  PTp 

lUT:      FOR  i=  0  TO  399 
{ 


lf(i=0)  CVo  =  IV 
Record  i,  KEYj,  CVq,  PTq 
FOR  j  =  0  TO  9,999 
{ 

IBj  =  PTj  e  CVj 


Perform  algorithm  in  encrypt  state,  resulting  in  CTj 
IFj=0 


PTj.,=CVo 


} 


ELSE 
CVj,,  =  CTj 


PT,.,=CTj., 


Record  CTj 


Send  i,  KEY,,  CVp,  PTq,  CT^ 

KEYj^i  =  KEY,  e  last  n  bits  of  CT,  where  «=64  if  DES,  «=80  if  Skipjack 

PTq  —  CT999g 


CVq  CT9999 


} 

MOVS:  Check  lUT's  output  for  correctness 


Figure  5.18  The  Modes  Test  for  the  Encryption  Process  -  CBC  Mode 


As  summarized  in  Figure  5.18,  the  Modes  test  for  the  CBC  Encryption  Process  shall  be 
performed  as  follows: 

1.  The  MOVS  shall: 

a.  Initialize  the  KEY,  initialization  vector  IV  and  plaintext  PT  variables.  The  PT 
and  IV  shall  consist  of  64  bits  each.  The  KEY  length  shall  be  dependent  on  the 
algorithm  implemented  by  the  lUT. 

b.  Forward  these  values  to  the  lUT  using  Input  Type  2. 

2.  The  lUT  shall  perform  the  following  for  i  =  0  through  399: 

a.       If  i=0  (if  this  is  the  first  time  through  this  loop),  set  the  chaining  value  CVq  equal 
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to  the  IV. 


h.       Record  the  current  value  of  the  outer  loop  number  i,  KEYj,  CVo  and  PTq. 

c.  For  j  =  0  through  9999,  perform  the  following: 

i.  Set  the  input  block  IBj  equal  to  the  value  of  PTj  exclusive-ORed  with  the 
CVj,  i.e.,  (IBlj,  IB2j,  ...,IB64j)  =  (PTlj®CVlj,  PT2j®CV2j, 
PT64j®CV64j). 

ii.  Process  IBj  through  the  DES  or  Skipjack  algorithm  in  the  encrypt  state, 
resuhing  in  CTj. 

iii.  Prepare  for  loop  j+1  by  doing  the  following: 

Assign  CVj+,  with  the  current  value  of  CTj,  i.e.,  (CVlj+„  CV2j+„ 
CV64j,,)  =  (CTlj,  CT2j, CT64j). 

If  the  inner  loop  being  processed  is  the  first  loop,  i.e.,  j  =  0,  assign 
PTj^,  with  the  current  value  of  CVq,  i.e.,  (PTl  „  PT2„     PT64,)  = 
(CVlo,  CV2o, CV64o).  Otherwise,  assign  PTj+,  with  the  CT 
from  the  previous  inner  cycle,  CTj.,,  i.e.,  (PTlj+,, 
PT2j,„...,PT64j„)  =  (CTlj.,,  CT2j.„...CT64j.,). 

d.  Record  the  CTj . 

e.  Output  all  recorded  information  from  this  loop,  as  specified  in  Output  Type  2,  to 
the  MOVS. 

f.  Assign  a  new  value  to  the  KEY  in  preparation  for  the  next  outer  loop.  The  new 
KEY  shall  be  calculated  by  exclusive-ORing  the  current  KEY  with  the  current 
CT.  For  lUTs  of  the  DES  algorithm,  this  shall  equate  to  (KEYlj^,,  KEY2j+„  ... 
KEY64j^,)  =  (KEYlj®CTl9999,  KEY2i®CT29999, ...  KEY64i©CT649999). 

For  lUTs  of  the  Skipjack  algorithm,  CT  shall  be  expanded  in  length  to  80  bits 
(the  length  of  a  Skipjack  key)  before  the  new  KEY  can  be  formed.  This 
expansion  shall  be  accomplished  by  concatenating  the  1 6  rightmost  bits  of  the 
previous  CT  (CTgggg)  with  the  64  bits  of  the  current  CT  (CT9999).  This  value  shall 
then  be  exclusive-ORed  with  the  current  KEY  to  form  the  new  KEY,  i.e., 
(KEYli^,,  KEY2j+„  ...  KEY80j^,)  =  (KEYli®CT499998,  KEY2i®CT509998, ... 
KEY16i®CT649998,  KEY  17i®CTl 9999,  KEY18i®CT29999, ...  KEY80i®CT649999). 

g.  Assign  a  new  value  to  CVq  in  preparation  for  the  next  outer  loop.  CVq  shall  be 
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assigned  the  value  of  the  current  CT,  i.e.,  (CVIq,  CV2o,     CV64o)  =  (CTI9999, 
CT29999, CT649999).(Note  that  the  new  CV  shall  be  denoted  as  CVq  because 
this  value  is  used  for  the  first  pass  through  the  inner  loop  when  j=0.) 

h.       Assign  a  new  value  to  the  PT  in  preparation  of  the  next  outer  loop.  PTq  shall  be 
assigned  the  value  of  the  CT  from  the  previous  cycle,  i.e.,  (PTIq,  PT2o,...,PT64o) 
=  (CTI9998,  CT2999g,...,CT64999g).  (Note  that  the  new  PT  shall  be  denoted  as  PTq 
because  this  value  is  used  for  the  first  pass  through  the  inner  loop  when  j=0.) 

NOTE:  The  output  from  the  lUT  for  this  test  shall  consist  of  400  output  strings.  Each 
output  string  shall  consist  of  information  included  in  Output  Type  2. 

3.       The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values. 
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5.2.2  Decryption  Process 

The  process  of  validating  an  lUT  for  the  CBC  mode  of  the  DES  algorithm  which  implements 
the  decryption  process  shall  involve  the  successful  completion  of  the  following  six  tests: 

1 .  The  Variable  Ciphertext  Known  Answer  Test  -  CBC  mode 

2.  The  Initial  Permutation  Known  Answer  Test  -  CBC  mode 

3.  The  Variable  Key  Known  Answer  Test  for  the  Decryption  Process  -  CBC  mode 

4.  The  Permutation  Operation  Known  Answer  Test  for  the  Decryption  Process  -  CBC 
mode 

5.  The  Substitution  Table  Known  Answer  Test  for  the  Decryption  Process  -  CBC  mode 

6.  The  Modes  Test  for  the  Decryption  Process  -  CBC  mode 

The  validation  process  for  an  lUT  of  the  Skipjack  algorithm  using  the  CBC  mode  of  operation 
in  the  decryption  process  shall  require  the  successful  completion  of  tests  1,  2,  3,  and  6  only. 

An  explanation  of  the  tests  follows. 
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5.2.2.1  The  Variable  Ciphertext  Known  Answer  Test  -  CBC  Mode 


MOVS:  If  encryption  is  supported  by  the  lUT: 

Initialize  KEY:     If  DES,  KEY  =  0101010101010101  (odd  parity  set) 

If  Skipjack,  KEY=OOOOOOOO0OOOOOOOOO00 
IV  =  0000000000000000 
Send  KEY,  IV 

If  encryption  is  not  supported  by  the  lUT: 

Initialize  KEY :    If  DES ,  KE  Y=0  lOIOlOlOlOlOlOl  (odd  parity  set) 
If  Skipjack,  KEY=00000000000000000000 
IV  =  0000000000000000 

CTj  (where  i=l-64):  If  DES,  CT  values  in  Appendix  B,  Table  1 

If  Skipjack,  CT  values  in  Appendix  B,  Table  5 
Send      KEY,  IV,  64,  CT„  CT2,...,CTe4 

lUT:      If  encryption  is  supported: 

Initialize  CT|=  first  value  from  output  of  Variable  Plaintext  Known  Answer  test. 
Otherwise,  use  the  first  value  received  from  the  MOVS. 

FOR  i  =  1  to  64 
{ 

IB;  =  CT, 

Perform  algorithm  in  decrypt  state,  resulting  in  OB, 

PT;  =  OBi  ®  IV 

Send  i,  KEY,  IV,  CT,,  PT; 
If  encryption  is  supported: 

CTj+i  =  corresponding  CTi+,  from  output  of  Variable  Plaintext  Known  Answer 

test 

else 

CTi+i  =  corresponding  CTj+i  value  from  MOVS 

} 

MOVS:  Compare  results  from  each  loop  with  known  answers 


Figure  5.19  The  Variable  Ciphertext  Known  Answer  Test  -  CBC  Mode 


As  summarized  in  Figure  5.19,  the  Variable  Ciphertext  Known  Answer  test  for  the  CBC  mode 
of  operation  shall  be  performed  as  follows: 

1.       The  MOVS  shall: 
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a.  Initialize  the  KEY  parameter  to  the  constant  hexadecimal  value  0.  For  lUTs  of 
the  DES  algorithm,  KEY^e,  =  0101010101010101.  Note  that  the  significant 
bits  are  set  to  "0"  and  the  parity  bits  are  set  to  "  1 "  to  make  odd  parity.  For 
Skipjack  implementations,  the  KEY^e^  =  00  00  00  00  00  00  00  00  00  00. 

b.  Initialize  the  initialization  vector  IV  to  the  constant  hexadecimal  value  0,  i.e., 
IVhex  =  00  00  00  00  00  00  00  00. 

c.  If  the  lUT  is  of  the  DES  algorithm,  and  it  does  not  support  encryption,  initialize 
the  64  ciphertext  CT  values  with  the  64  constant  CT  values  from  Appendix  B, 
Table  1.  If  the  lUT  is  of  the  Skipjack  algorithm,  and  it  does  not  support 
encryption,  initialize  the  64  ciphertext  CT  values  with  the  64  constant  values 
from  Appendix  B,  Table  5. 

d.  If  encryption  is  supported  by  the  lUT,  forward  the  KEY  and  IV  to  the  lUT,  as 
specified  in  Input  Type  6.  If  encryption  is  not  supported  by  the  lUT,  forward  the 
KEY,  IV  and  CT  to  the  lUT,  as  specified  in  Input  Type  5. 

2.       The  lUT  shall: 

a.  If  encryption  is  supported,  initialize  the  CT  value  with  the  first  CT  value  retained 
from  the  Variable  Plaintext  Known  Answer  test  for  the  CBC  Mode  (Section 

5.2. 1 . 1 ).  Otherwise,  use  the  first  value  received  from  the  MOVS. 

b.  Perform  the  following  for  i=l  through  64: 

i.  Set  the  input  block  IB;  equal  to  the  value  of  CT„  i.e.,  (IB  1  i,IB2i,...,IB64i) 
=  (CTli,CT2i,...,CT64i). 

ii.  Process  IB^  through  the  DES  or  Skipjack  algorithm  in  the  decrypt  state, 
resulting  in  the  output  block  OBj. 

iii.  Calculate  the  plaintext  PTj  by  exclusive-ORing  OBj  with  IV,  i.e.,  (PTlj, 
PT2i,...,PT64i)  =  (OBli®IVl,  OB2i©IV2,...,OB64i©IV64). 

iv.  Forward  the  current  value  of  the  loop  number  i,  KEY,  IV,  CTj,  and  the 
resulting  PTj  to  the  MOVS  using  Output  Type  2. 

.  v.      If  encryption  is  supported,  set  CT^+^  equal  to  the  corresponding  output 

from  the  Variable  Plaintext  Known  Answer  test  for  CBC  mode.  If 
encryption  is  not  supported,  assign  a  new  value  to  CTi+,  by  setting  it 
equal  to  the  corresponding  CTj+i  value  supplied  by  the  MOVS. 
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NOTE:  The  output  from  the  lUT  for  this  test  shall  consist  of  64  output  strings.  Each 
output  string  shall  consist  of  information  included  in  Output  Type  2. 

The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values. 
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5.2.2.2  The  Initial  Permutation  Known  Answer  Test  -  CBC  Mode 


MOVS:  Initialize  KEY:     If  DES,  KEY  =  OlOlOlOlOlOIOlOl  (odd  parity  set) 

If  Skipjack,  KEY=00000000000000000000 
IV  =  0000000000000000 

CTj  (where  i=I-64):  64  PT  values  from  Variable  Ciphertext  Known 
Answer  test 
Send      KEY,  IV,  64,  CT„  CT2,...,CT64 

lUT:      Initialize  CT|=  first  value  from  output  of  Variable  Ciphertext  Known  Answer  test. 

FOR  i  =  1  to  64 
{ 

IB;  =  CTi 

Perform  algorithm  in  decrypt  state,  resulting  in  OB, 

PT,  =  OB,  ®  IV 

Send  i,  KEY,  IV,  CT„  PT, 

CTj+i  =  corresponding  CTj+,  value  from  MOVS 


MOVS:  Compare  results  from  each  loop  with  known  answers.  For  DES,  use  Appendix  B,  Table  1,  For 
Skipjack,  use  Appendix  B,  Table  5. 


Figure  5.20  The  Initial  Permutation  Known  Answer  Test  -  CBC  Mode 


As  summarized  in  Figure  5.20,  the  Initial  Permutation  Known  Answer  test  for  the  CBC  mode  of 
operation  shall  be  performed  as  follows: 

1.       The  MOVS  shall: 

a.  Initialize  the  KEY  parameter  to  the  constant  hexadecimal  value  0.  For  lUTs  of 
the  DES  algorithm,  KEY^ex  =  0101010101010101.  Note  that  the  significant 
bits  are  set  to  "0"  and  the  parity  bits  are  set  to  "  1 "  to  make  odd  parity.  For 
Skipjack  implementations,  the  KEY^e,  =  00  00  00  00  00  00  00  00  00  00. 

b.  Initialize  the  initialization  vector  IV  to  the  constant  hexadecimal  value  0,  i.e., 
IVhex  =  00  00  00  00  00  00  00  00. 

c.  Initialize  the  64  CT  values  with  the  64  PT  values  obtained  from  the  Variable 
Ciphertext  Known  Answer  test. 
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d. 


Forward  the  KEY,  IV  and  the  64  CT  values  to  the  lUT,  as  specified  in  Input 
Type  5. 


2.  The  lUT  shall  perform  the  following  for  i=l  through  64: 

a.  Set  the  input  block  IB,  equal  to  the  value  of  CT„  i.e.,  (IBli,IB2„...,IB64j)  = 
(CTli,CT2i,...,CT64i). 

b.  Process  IBj  through  the  DES  or  Skipjack  algorithm  in  the  decrypt  state,  resulting 
in  the  output  block  OBj. 

c.  Calculate  the  plaintext  PT;  by  exclusive-ORing  OBj  with  IV,  i.e.,  (PTlj, 
PT2i,...,PT64i)  =  (OBli©IVl,  OB2i©IV2,...,OB64i©IV64). 

d.  Forward  the  current  value  of  the  loop  number  i,  KEY,  IV,  CT^,  and  the  resulting 
PTj  to  the  MOVS  using  Output  Type  2. 

e.  Set  CTj+,  equal  to  the  corresponding  CTj+,  value  supplied  by  the  MOVS. 

NOTE:  The  output  from  the  lUT  for  this  test  shall  consist  of  64  output  strings.  Each 
output  string  shall  consist  of  information  included  in  Output  Type  2. 

3.  The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values. 
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5.2.2.3  The  Variable  Key  Known  Answer  Test  for  the  Decryption  Process  -  CBC  Mode 


MOVS:  Initialize  KEY:   If  DES,  KEY,  =  8001010101010101  (odd  parity  set) 

If  Skipjack,  KEY,  =  80000000000000000000 
IV=0000000000000000 
If  encryption  is  supported  by  the  lUT: 
Send  KEY,,  IV 

If  encryption  is  not  supported  by  the  RJT: 

Initialize  CT  values:  If  DES,  initialize  CT  values  with  values  in  Appendix  B,  Table  2 
If  Skipjack,  initialize  CT  values  with  values  in  Appendix  B, 
Table  6. 

Send  KEY,,  IV,  n  (where  n=64  if  DES,  80  if  Skipjack),  CT„  CT2,...,  CT„ 

lUT:      If  encryption  is  supported  by  the  lUT: 

Initialize  CT,  =  first  value  from  output  of  Variable  Key  Known  Answer  test  for  the 
Encryption  Process  for  the  CBC  Mode. 
Otherwise,  use  the  first  value  received  from  the  MOVS. 

FOR  i  =  1  to  «,  where  n  =  56  if  DES,  80  if  Skipjack 
{ 

IF  (algorithm  ==  SKIPJACK)  {process  every  bit} 
OR 

(algorithm  ==  DES  AND  i  %8  !=  0) 

{process  every  bit  except  parity  bits} 

{ 

IB,  =  CTi 

Perform  algorithm  in  decrypt  state,  resulting  in  OB; 

PT,  =  OB,  ®  IV 

Send  i,  KEY,,  IV,  CTj,  PT; 

KEYi+,  =  vector  consisting  of  "0"  in  every  significant  bit  position  except 

for  a  single  "1 "  bit  in  the  i+T'  position.  Note  that  odd  parity  is  set. 

If  encryption  is  supported  by  the  lUT: 

CTj+i  =  corresponding  CTj+i  from  output  of  Variable  Key  Known 
Answer  test  for  the  Encryption  Process  for  CBC  Mode 

else 

CTj+i  =  corresponding  CTi+,  value  from  MOVS 

} 

} 

MOVS:  Compare  results  of  the  n  decryptions  with  known  answers 


Figure  5.21  The  Variable  Key  Known  Answer  Test  for  the  Decryption  Process  -  CBC 
Mode 


Figure  5.21  illustrates  the  Variable  Key  Known  Answer  test  for  the  CBC  Decryption  Process. 
1.       The  MOVS  shall: 
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a.  Initialize  KEY,  to  contain  "0"  in  every  significant  bit  except  for  a  "  1 "  in  the  first 
position.  (Note  that  odd  parity  is  set  on  the  KEY.)  For  example,  if  validating  an 
lUT  of  the  DES  algorithm,  the  64  bit  KEY,    =  10000000  00000001  00000001 
00000001  00000001  00000001  00000001  00000001.  The  equivalent  of  this 
value  in  hexadecimal  notation  is  80  01010101010101. 

If  validating  an  lUT  of  the  Skipjack  algorithm,  the  80  bit  KEY,    =  10000000 
00000000  00000000  00000000  00000000  00000000  00000000  00000000 
00000000  00000000.  The  equivalent  of  this  value  in  hexadecimal  notation  is  80 
00  00  00  00  00  00  00  00  00. 

b.  Initialize  IV  to  contain  the  value  of  zero,  i.e.,  IVh,,  =  00  00  00  00  00  00  00  00. 

c.  If  the  lUT  is  of  the  DES  algorithm,  and  encryption  is  not  supported,  initialize  CTj 
values  with  the  56  constant  CT  values  from  Appendix  B,  Table  2.  Otherwise,  if 
the  lUT  is  of  the  Skipjack  algorithm,  and  encryption  is  not  supported,  initialize 
the  CTj  values  with  the  80  constant  CT  values  from  Appendix  B,  Table  6. 

d.  If  encryption  is  not  supported  by  the  lUT,  forward  the  KEY,  IV,  and  the  multiple 
CT  values  to  the  lUT,  as  specified  in  Input  Type  5.  Otherwise,  forward  the  KEY 
and  IV  to  the  lUT,  as  specified  in  Input  Type  6. 


2.       The  lUT  shall: 

a.  If  encryption  is  supported,  initialize  the  CT  value  with  the  first  CT  value  retained 
from  the  Variable  Key  Known  Answer  test  for  the  Encryption  Process  for  the 
CBC  Mode  (Section  5.2.1.3).  Otherwise,  use  the  first  value  received  from  the 
MOVS. 

b.  Perform  the  following  for  i=l  to  n,  where  «  =  56  for  DES  or  80  for  Skipjack: 

i.  Set  the  input  block  IB,  equal  to  the  value  of  CTj,  i.e.,  (IB  1  „  IB2i,...,  IB64i) 
=  (CTli,  CT2„...,CT64i). 

ii.  Process  IB,  through  the  DES  or  Skipjack  algorithm  in  the  decrypt  state, 
resulting  in  output  block  OBj. 

iii.  Calculate  the  plaintext  PTj  by  exclusive-ORing  OB,  with  IV,  i.e.,  (PT 1  „ 
PT2i,...,PT64,)  =  (OBljelVl,  OB2,©IV2,...,OB64j©IV64). 

iv.  Forward  the  current  values  of  the  loop  number  i,  KEY;,  IV,  CTj  and  the 
resulting  PT;  to  the  MOVS  using  Output  Type  2. 
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V.  Set  KEYj+i  equal  to  the  vector  consisting  of  "0"  in  every  significant  bit 
position  except  for  a  single  "1"  bit  in  the  i+P*  position.  The  parity  bits 
are  set  for  odd  parity. 


vi.      If  encryption  is  supported,  set  CT-+,  equal  to  the  corresponding  CTi+, 
value  retained  from  the  Variable  Key  Known  Answer  test  for  the 
Encryption  Process  for  CBC  mode.  If  encryption  is  not  supported  by  the 
lUT,  set  CT|+,  equal  to  the  corresponding  CTj+,  value  supplied  by  the 
MOVS. 


NOTE:  The  output  from  the  lUT  for  this  test  shall  consist  of  56  output  strings  if  DES  is 
being  implemented,  or  80  output  strings  if  Skipjack  is  implemented.  Each  output  string 
shall  consist  of  information  included  in  Output  Type  2. 

The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values. 
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5.2.2.4  Permutation  Operation  Known  Answer  Test  for  Decryption  Process  -  CBC  Mode 

NOTE:  This  test  shall  only  be  performed  for  lUTs  of  the  DES  algorithm. 


MOVS:  Initialize  KEY;  (where  i=l -32)  =  KEY  values  in  Appendix  B,  Table  3 

IV  =  0000000000000000 
If  encryption  is  supported  by  the  lUT: 

Send  IV,32,  KEY,,  KEY 2,..., KEY 
If  encryption  not  supported  by  the  lUT: 

Initialize  CT,  (where  i=I-32)  =  corresponding  CT  values  in  Table  3 
Send  IV,32,  KEY,,  CT„  KEY^,  CT2,...,KEY,2,  CT32 

lUT:      If  encryption  is  supported  by  the  lUT: 

Initialize  CT,  =  first  value  retained  from  Permutation  Operation  Known  Answer  test  for  the 
Encryption  Process  for  the  CBC  Mode. 
Otherwise,  use  the  first  value  received  from  the  MOVS. 

FOR  i  =  1  to  32 
{ 

IB,  =  CT, 

Perform  DES  algorithm  in  decrypt  state  using  KEYj,  resulting  in  OBj 

PT,  =  OBi  ®  IV 

Send  i,  KEY,,  IV,  CT,,  PT, 

KEY,+,  =  corresponding  KEY  supplied  by  MOVS 

If  encryption  is  supported: 

CTi+,  =  corresponding  CTj+i  from  output  of  Permutation  Operation  Known 
Answer  test  for  the  Encryption  Process  for  the  CBC  mode 

else 

CT|+,  =  corresponding  CTi+,  from  MOVS 

} 

MOVS:  Compare  results  from  each  loop  with  known  answers 


Figure  5.22  The  Permutation  Operation  Known  Answer  Test  for  the  Decryption  Process 
CBC  Mode 


As  summarized  in  Figure  5.22,  the  Permutation  Operation  Known  Answer  test  for  the  CBC 
Decryption  Process  shall  be  performed  as  follows: 

1.       The  MOVS  shall: 

a.  If  the  lUT  supports  encryption,  initialize  the  KEY  values  with  the  32  constant 
KEY  values  supplied  from  Appendix  B,  Table  3.  If  the  lUT  does  not  support 
encryption,  initialize  the  KEY-ciphertext  (KEY-CT)  pairs  with  the  32  constant 
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KEY-CT  pairs  from  Table  3. 

b.  Initialize  IV  to  contain  the  value  of  zero,  i.e.,  IV^ex  =  00  00  00  00  00  00  00  00. 

c.  If  encryption  is  supported  by  the  lUT,  forward  the  KEY  and  IV,  as  specified  in 
Input  Type  12.  Forward  the  KEY,  CT,  and  IV  to  the  lUT  using  Input  Type  1 1  if 
encryption  is  not  supported  by  the  lUT. 


The  lUT  shall: 


If  encryption  is  supported,  initialize  the  CT  value  with  the  first  CT  value  retained 
from  the  Permutation  Operation  Known  Answer  test  for  the  Encryption  Process 
for  the  CBC  Mode  (Section  5.2. 1 .4).  Otherwise,  use  the  first  value  received 
from  the  MOVS. 

Perform  the  following  for  i  =  1  to  32: 

i.  Set  the  input  block  IB;  equal  to  the  value  of  CT;,  i.e,  (IB  1^,132;,.. .IB64j)  = 
(CTli,CT2i,...,CT64i). 

ii.  Using  the  corresponding  KEY,,  process  IBj  through  the  DES  algorithm  in 
the  decrypt  state,  resulting  in  OBj. 

iii.  Calculate  PT^  by  exclusive-ORing  OB,  with  IV,  i.e.,  (PTl^,  PT2i,...,PT64i) 
=  (OBlielVl,  OB2ieIV2,...,OB64i©IV64). 

iv.  Forward  the  current  values  of  the  loop  number  i,  KEYj,  IV,  CT;  and  the 
resulting  PTj  to  the  MOVS  using  Output  Type  2. 

v.  Set  KEYj+i  equal  to  the  i+P'  value  supphed  by  the  MOVS. 

vi.  If  encryption  is  supported,  set  CTj+,  equal  to  the  corresponding  CTj^, 
value  retained  from  the  Permutation  Operation  Known  Answer  test  for 
the  Encryption  Process  for  CBC  Mode.  If  encryption  is  not  supported, 
set  CTj+i  equal  to  the  corresponding  CTj^,  value  supplied  by  the  MOVS. 

NOTE:  The  above  processing  shall  continue  until  all  32  KEY-CT  values,  as 
specified  in  Input  Type  1 1,  or  all  32  KEY  values,  as  specified  in  Input  Type  12 
are  processed.  The  output  from  the  lUT  for  this  test  shall  consist  of  32  output 
strings.  Each  output  string  shall  consist  of  information  contained  in  Output  Type 
2. 
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The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values. 
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5.2.2.5  Substitution  Table  Known  Answer  Test  for  the  Decryption  Process  -  CBC  Mode 

NOTE:  This  test  shall  only  be  performed  for  lUTs  of  the  PES  algorithm.   

MOVS:  Initialize:  KEY,  (where  i=l- 19)=  KEY  values  in  Appendix  B,  Table  4 

IV  =  0000000000000000 
If  encryption  is  supported  by  the  lUT: 

Send  IV,  19,  KEY,,  KEY2,...,KEY,9 
If  encryption  not  supported: 

Initialize  CT;  (where  i=  1-19)=  CT  values  in  Table  4 
Send  IV,  19,  KEY,,  CT„  KEY^,  CT2,...,KEY,„  CT,^ 

lUT:      If  encryption  is  supported: 

Initialize  CT,  =  first  CT  value  from  output  of  Substitution  Table  Known  Answer  test  for 
the  Encryption  Process  for  the  CBC  Mode. 
Otherwise,  use  the  first  value  received  from  the  MOVS. 
FORi=ltol9 
{ 

IB,  =  CT, 

Perform  DES  algorithm  in  decrypt  state  using  KEY,,  resulting  in  OB, 

PT,=OB,  e  IV 

Send  i,  KEY,,  IV,  CT,,  PT, 

KEYj+i  =  corresponding  KEY  supplied  by  MOVS 

If  encryption  is  supported: 

CTj+,  =  corresponding  CT  from  output  of  Substitution  Table  Known  Answer  test 
for  the  Encryption  Process  for  the  CBC  mode 

else 

CTi+,  =  corresponding  CT  firom  MOVS 

} 

MOVS:  Compare  results  from  each  loop  with  known  answers 


Figure  5.23  The  Substitution  Table  Known  Answer  Test  for  the  Decryption  Process  -  CBC 
Mode 


Figure  5.23  illustrates  the  Substitution  Table  Known  Answer  test  for  the  CBC  Decryption 
Process. 

1.       The  MOVS  shall: 

a.  If  the  lUT  supports  encryption,  initialize  the  KEY  values  with  the  1 9  constant 
KEY  values  supplied  from  Appendix  B,  Table  4.  If  the  lUT  does  not  support 
encryption,  initialize  the  KEY-ciphertext  (KEY-CT)  pairs  with  19  constant 
KEY-CT  pairs  from  Appendix  B,  Table  4. 

b.  Initialize  IV  to  contain  the  value  of  zero,  i.e.,  IVhe^  =  00  00  00  00  00  00  00  00. 
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c.  If  encryption  is  supported  by  the  lUT,  forward  the  IV  and  the  1 9  KEY  values,  as 
specified  in  Input  Type  12.  Otherwise,  forward  the  IV  and  the  19  KEY-CT  pairs 
to  the  lUT,  as  specified  in  Input  Type  11. 

The  lUT  shall: 

a.  If  encryption  is  supported,  initialize  the  CT  value  with  the  first  CT  value  retained 
from  the  Substitution  Table  Known  Answer  test  for  the  Encryption  Process  for 
the  CBC  Mode  (Section  5.2.1.5).  Otherwise,  use  the  first  CT  value  received 
from  the  MOVS. 

b.  Perform  the  following  for  i  =  1  to  19: 

i.  Set  the  input  block  IBj  equal  to  the  value  of  CTj,  i.e,  (IBli,IB2i,...IB64  )  = 
(CTl„CT2i,...,CT64,). 

ii.  Using  the  corresponding  KEYj,  process  IB^  through  the  DES  algorithm  in 
the  decrypt  state,  resulting  in  the  output  block  OBj. 

iii.  Calculate  PT;  by  exclusive-ORing  OBj  with  IV,  i.e.,  (PTlj,  PT2i,...,PT64i) 
=  (OBljelVl,  OB2i©IV2,  ...,OB64,®IV64). 

iv.  Forward  the  current  values  of  the  loop  number  i,  KEY;,  IV,  CTj  and  the 
resulting  PTj  to  the  MOVS  as  specified  in  Output  Type  2. 

v.  Set  KEYj+i  equal  to  i+P'  value  supplied  by  MOVS. 

vi.  If  encryption  is  supported,  set  CTi+,  equal  to  the  corresponding  CTi+, 
value  retained  from  the  Substitution  Table  Known  Answer  test  for  the 
Encryption  Process  for  the  CBC  Mode.  If  encryption  is  not  supported, 
set  CTj+i  equal  to  the  corresponding  CTi+,  value  supplied  by  the  MOVS. 

NOTE:  The  above  processing  shall  continue  until  the  IV  and  all  19  KEY-CT  pairs,  as 
specified  in  Input  Type  1 1 ,  or  the  IV  and  all  1 9  KEY  values,  as  specified  in  Input  Type 
12,  are  processed.  The  output  from  the  lUT  for  this  test  shall  consist  of  19  output 
strings.  Each  output  string  shall  consist  of  informadon  included  in  Output  Type  2. 

The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values. 
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5.2.2.6  Modes  Test  for  the  Decryption  Process  -  CBC  Mode 


MOVS:  Initialize 
Send 


KEYo,IVo,CTo 
KEYo,IVo,  CTo 


lUT: 


FOR  i  =  0  TO  399 


If(i=0)CVo  =  IVo 
Record  i,  KEY;,  CVo,  CTo 
FORj  =  0TO  9,999 


IB:  =  CT: 


Perform  algorithm  in  decrypt  state,  resulting  in  OBj 
PTj  =  OBj  ®  CVj 
CVj„  =  CT^ 
CTj„  =  PTj 

} 

Record  PTj 

Send  i,  KEY;,  CVo,  CTg,  PTj 

KEYi+i  =  KEY;  ©  last «  bits  of  PT,  where  «=64  if  DES,  «=80  if  Skipjack 


MOVS:  Check  lUT's  output  for  correctness 


Figure  5.24  The  Modes  Test  for  the  Decryption  Process  -  CBC  Mode 


Figure  5.24  illustrates  the  Modes  test  for  the  CBC  Decryption  Process. 
1.       The  MOVS  shall: 

a.  Initialize  KEY,  the  initialization  vector  IV  and  ciphertext  CT  variables.  The  CT 
and  IV  shall  consist  of  64  bits,  while  the  KEY  length  shall  be  dependent  on  the 
algorithm  implemented  by  the  lUT. 

b.  Forward  these  values  to  the  lUT  using  Input  Type  2. 


CVo  =  CT, 
CTo  =  PT^ 


9999 


9999 
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2. 


The  lUT  shall  perform  the  following  for  i=0  through  399: 


a.  If  i-0  (if  this  is  the  first  time  through  this  loop),  set  the  chaining  value  CVn  equal 
to  IV. 

b.  Record  the  current  value  of  the  outer  loop  number  i,  KEYj,  CVq,  and  CTq. 

c.  For  j=0  through  9999,  perform  the  following: 

i.       Set  the  input  block  IBj  equal  to  the  value  of  CT:,  i.e.,  (IB  1 ,  IB2 
IB64j)  =  (CTlj,  CT2j,...,  CT64j).  '  ' 

ii.  Process  the  IBj  through  the  DES  or  Skipjack  algorithm  in  the  decrypt 
state,  resuhing  in  an  output  block  OBj. 

iii.  Form  the  plaintext  PT^  by  exclusive-ORing  OBj  with  the  current  CVj,  i.e., 
(PTlj,  PT2j,...,PT64j)  =  (OBlj©CVlj,  OB2j®CV2^, OB64^©CV64/). 

iv.  Prepare  for  the  j+1  loop  by: 

-  Assigning  CVj+,  with  the  value  of  the  current  CTj,  i.e.,  (CVlj+,, 

CV2j,„     CV64j„)  =  (CTl^,  CT2j, CT64j); 

-  Assigning  CTj+,  with  the  value  of  the  current  PTj,  i.e.,  (CTlj+,, 

CT2j,„     CT64j„)  =  (PTlj,  PT2j,...,PT64j). 

d.  Record  PTj. 

e.  Output  all  the  recorded  information  from  this  loop  using  Output  Type  2. 

f.  Assign  a  new  value  to  the  KEY  in  preparation  for  the  next  outer  loop.  The  new 
KEY  shall  be  calculated  by  exclusive-ORing  the  current  KEY  with  the  current 
PT.  For  lUTs  of  the  DES  algorithm,  this  shall  equate  to  (KEYli+,,  KEY2i+„  ... 
KEY64,,,)  =  (KEYliePTl9999,  KEY2,®?T2,,,g, ...  KEY64i©PT649999). 

For  lUTs  of  the  Skipjack  algorithm,  the  PT  shall  be  expanded  in  length  to  80 
bits  (the  length  of  a  Skipjack  key)  before  the  new  KEY  can  be  formed.  This 
expansion  shall  be  accomplished  by  concatenating  the  16  rightmost  bits  of  the 
previous  PT  (PTgggg)  with  the  64  bits  of  the  current  PT  (PT9999).  This  value  shall 
then  be  exclusive-ORed  with  the  current  KEY  to  form  the  new  KEY,  i.e., 
(KEYli,,,  KEY2i,„  ...  KEY80i„)  =  (KEYli©PT499998,  KEY2i©PT5  09998, ... 
KEY16j®PT649998,  KEY  17i©PTl 9999,  KEY18,®PT29999, ...  KEY80i®PT649999). 

g.  Assign  a  new  value  to  CV  in  preparation  for  the  next  outer  loop.  CVq  shall  be 
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assigned  the  value  of  the  current  CT,  i.e.,  (CVIq,  CV2o,...,CV64o)  =  (CTI9999, 
CT29999,... ,0X649999).  (Note  that  the  new  CV  shall  be  denoted  as  CVq  to  be  used 
for  the  first  pass  through  the  inner  loop  when  j=0.) 

h.       Assign  a  new  value  to  CT  in  preparation  for  the  next  outer  loop.  CTq  shall  be 
assigned  the  value  of  the  current  PT,  i.e.,  (CTIq,  CT2o,...,CT64o)  =  (PTI9999, 
PT29999,...,PT649999).  (Notc  that  the  new  CT  shall  be  denoted  as  CTo  to  be  used 
for  the  first  pass  through  the  inner  loop  when  j=0.) 

NOTE:  The  output  from  the  lUT  for  this  test  shall  consist  of  400  output  strings 
consisting  of  information  included  in  Output  Type  2. 

The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values. 
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5.3  The  Cipher  Feedback  (CFB)  Mode 


The  lUTs  of  the  DES  or  Skipjack  algorithm  in  the  Cipher  Feedback  (CFB)  mode  of  operation 
shall  be  validated  by  successfully  completing  (1)  a  set  of  Known  Answer  tests  applicable  to 
both  lUTs  supporting  encryption  and/or  decryption  and  (2)  a  Modes  test  for  each  cryptographic 
process  supported  by  the  lUT. 

The  process  of  validating  an  lUT  of  the  DES  algorithm  which  supports  the  encryption  and/or 
decryption  processes  of  the  K-bit  CFB  mode  shall  involve  the  successful  completion  of  the 
following  six  tests: 

1 .  The  Variable  Text  Known  Answer  Test  -  K-bit  CFB  mode 

2.  The  Inverse  Permutation  Known  Answer  Test  -  K-bit  CFB  mode 

3.  The  Variable  Key  Known  Answer  Test  -  K-bit  CFB  mode 

4.  The  Permutation  Operation  Known  Answer  Test  -  K-bit  CFB  mode 

5.  The  Substitution  Table  Known  Answer  Test  -  K-bit  CFB  mode 

6.  The  Modes  Test  for  the  Encryption  Process  -  K-bit  CFB  mode  (if  encryption  is 
supported) 

OR 

The  Modes  Test  for  the  Decryption  Process  -  K-bit  CFB  mode  (if  decryption  is 
supported) 

Note,  for  lUTs  of  the  DES  algorithm,  K  can  range  from  1  to  64  bits. 

The  validation  process  for  an  lUT  of  the  Skipjack  algorithm  which  supports  the  encryption 
and/or  decryption  process  of  the  64-bit  CFB  mode  of  operation  shall  involve  the  successful 
completion  of  tests  1,  2,  3,  and  6  only. 

An  explanation  of  the  tests  follows. 


5.3.1  The  Known  Answer  Tests  -  CFB  Mode 

The  K-bit  CFB  mode  shall  only  have  one  set  of  Known  Answer  tests  which  shall  be  used 
regardless  of  supported  process,  i.e.,  the  same  set  of  Known  Answer  tests  shall  be  used  for  lUTs 
supporting  the  encryption  and/or  decryption  processes. 

Throughout  this  section,  TEXT  and  RESULT  will  refer  to  different  variables  depending  on 
whether  the  encryption  or  decryption  process  is  being  tested.  If  the  lUT  performs  CFB 
encryption,  TEXT  refers  to  plaintext,  and  RESULT  refers  to  ciphertext.  If  the  lUT  performs 
CFB  decryption,  TEXT  refers  to  ciphertext,  and  RESULT  refers  to  plaintext. 
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5.3.1.1  The  Variable  Text  Known  Answer  Test  -  CFB  Mode 


NOTE:  If  Skipjack,  K  shall  equal  64. 

MOVS:  Initialize 


Send 

lUT:  FORi=lto64 
{ 

IB-IVi 

Perform  algorithm  in  encrypt  state,  resulting  in  OBj 

K-bit  RESULT^  LM^(OBi)©  K-bit  TEXT 

Send  i,  KEY,  IV^,  K-bit  TEXT,  K-bit  RESULT; 

IVj+,  =  basis  vector  where  single  "1"  bit  is  in  position  i+1 

} 

MOVS:  Compare  RESULT  from  each  loop  with  known  answers 

If  DES,  use  K  bits  of  output  in  Appendix  B,  Table  1 .  If  Skipjack,  use  64  bits  of  output  in  Appendix 
B,  Table  5. 


Figure  5.25  The  Variable  Text  Known  Answer  Test  -  CFB  Mode 


As  summarized  in  Figure  5.25,  the  Variable  Text  Known  Answer  test  for  the  CFB  mode  shall 
be  performed  as  follows  (Note,  in  the  following  text,  if  the  lUT  is  of  the  Skipjack  algorithm,  K 
shall  equal  64.): 

1.       The  MOVS  shall: 

a.  Initialize  the  KEY  parameter  to  the  constant  hexadecimal  value  0.  For  lUTs  of 
the  DES  algorithm,  the  KEY  =  01  01  01  01  01  01  01  01.  Note  that  the 
significant  bits  are  set  to  "0"  and  the  parity  bits  are  set  to  "  1 "  to  make  odd  parity. 

j 

For  lUTs  of  the  Skipjack  algorithm,  the  KEY  =  00  00  00  00  00  00  00  00  00  00. 

b.  Initialize  the  64  bit  initialization  vector  IV,  to  the  basis  vector  containing  a  "1"  in 
the  first  bit  position  and  "0"  in  the  following  63  positions,  i.e.,  IV,    =  10000000 
00000000  00000000  00000000  00000000  00000000  00000000  00000000.  The 
equivalent  of  this  value  in  hexadecimal  notation  is  80  00  00  00  00  00  00  00. 

i; 


KEY:     If  DES,  KEY  =  0101010101010101  (odd  parity  set) 

If  Skipjack,  KEY  =  00000000000000000000 
IV,  =  8000000000000000 
K-bit  TEXT  =  0 
KEY,  I V„  K-bit  TEXT 
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c.       Initialize  the  K-bit  TEXT  parameter  to  the  constant  hexadecimal  value  0,  where 
K  =  1  ...  64  for  DES  and  K  =  64  for  Skipjack. 


d.       Forward  this  information  to  the  lUT  using  Input  Type  2. 
The  lUT  shall  perform  the  following  for  i  =  1  through  64: 

a.  Assign  the  value  of  the  initialization  vector  IVj  to  the  input  block  IBj,  i.e.,  (IB  1 
IB2i,...,  IB64i)  =  (IVli,  IV2j,...,  IV64i). 

b.  Process  IBj  through  the  DES  or  Skipjack  algorithm  in  the  encrypt  state,  resulting 
in  a  64-bit  output  block  OBj. 

c.  Calculate  the  K-bit  RESULTj  by  exclusive-ORing  the  leftmost  K-bits  of  OB, 
with  the  K-bit  TEXT,  i.e.,  (RESULTl;,  RESULT2i,...,  RESULTKO  = 
(OBlieTEXTl,OB2i©TEXT2,...,OBK,eTEXTK). 

d.  Forward  the  current  values  of  the  loop  number  i,  KEY,  IVj,  K-bit  TEXT  and  K- 
bit  RESULTj  to  the  MOVS,  as  specified  in  Output  Type  2. 

e.  Assign  a  new  value  to  IVj+,  by  setting  it  equal  to  the  value  of  a  basis  vector  with 
a  "1"  bit  in  position  i+1  ,  where  i=1...64. 

NOTE:  This  processing  continues  until  every  possible  basis  vector  has  been 
represented  by  the  IV,  i.e.,  64  times.  The  output  from  the  lUT  shall  consist  of  64  output 
strings.  Each  output  string  shall  consist  of  information  included  in  Output  Type  2. 

The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values  found  in  Appendix  B,  Table  1  for  DES  or  Table  5  for  Skipjack. 
For  lUTs  of  DES  where  K  is  less  than  64,  the  leftmost  K  bits  of  output  for  each  CT 
value  in  Table  1  shall  be  used. 
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5.3.1.2  The  Inverse  Permutation  Known  Answer  Test  -  CFB  Mode 


NOTE:  If  Skipjack,  K  shall  equal  64. 

MOVS:  Initialize  KEY:     If  DES,  KEY  =  0101010101010101  (odd  parity  set) 

If  Skipjack,  KEY  =  00000000000000000000 
IV,  =  8000000000000000 

K-bit  TEXTi  (where  i=l-64)  =  64  CT  values  from  the  Variable  Text  Known 
Answer  test 

Send  KEY,  IV„  64,  K-bit  TEXT, ...  TEXT64 

lUT:      FOR  i  =  1  to  64 
{ 

IBi  =  IVi 

Perform  algorithm  in  encrypt  state,  resulting  in  OB, 

K-bit  RESULTi=  LM'^(OBi)©  K-bit  TEXT 

Send  i,  KEY,  IV,,  K-bit  TEXT,  K-bit  RESULT, 

IVj+i  =  basis  vector  where  single  "  1 "  bit  is  in  position  i+1 

K-bit  TEXTi+,=  corresponding  K-bit  RESULT  value  from  the  Variable  Text  Known  Anwer 
test 

} 


MOVS:  Compare  RESULT  from  each  loop  with  known  answers 
The  RESULTS  should  be  all  zeros. 


Figure  5.26  The  Inverse  Permutation  Known  Answer  Test  -  CFB  Mode 


As  summarized  in  Figure  5.26,  the  Inverse  Permutation  Known  Answer  test  for  the  CFB  mode 
shall  be  performed  as  follows  (Note,  in  the  following  text,  if  the  lUT  is  of  the  Skipjack 
algorithm,  K  shall  equal  64.): 

1.       The  MOVS  shall: 


a.  Initialize  the  KEY  parameter  to  the  constant  hexadecimal  value  0.  For  lUTs  of 
the  DES  algorithm,  the  KEY  =  01  01  01  01  01  01  01  01.  Note  that  the 
significant  bits  are  set  to  "0"  and  the  parity  bits  are  set  to  "  1 "  to  make  odd  parity. 

For  lUTs  of  the  Skipjack  algorithm,  the  KEY  =  00  00  00  00  00  00  00  00  00  00. 

b.  Initialize  the  64  bit  initialization  vector  IV,  to  the  basis  vector  containing  a  "1 "  in 
the  first  bit  position  and  "0"  in  the  following  63  positions,  i.e.,  IV,    ~  1 0000000 
00000000  00000000  00000000  00000000  00000000  00000000  00000000.  The 
equivalent  of  this  value  in  hexadecimal  notation  is  80  00  00  00  00  00  00  00. 
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c.        Initialize  the  K-bit  TEXTi  (where  i=  1  -64)  to  the  RESULT^  obtained  from  the 
Variable  Text  Known  Answer  test. 


d.       Forward  this  information  to  the  lUT  using  Input  Type  5. 
The  lUT  shall  perform  the  following  for  i  =  1  through  64: 

a.  Assign  the  value  of  the  initialization  vector  IV^  to  the  input  block  IB  ,  i.e.,  (IB  1 , 
IB2„...,IB64i)  =  (IVl„IV2.,...,IV64i). 

b.  Process  IB,  through  the  DES  or  Skipjack  algorithm  in  the  encrypt  state,  resulting 
in  a  64-bit  output  block  OBj. 

c.  Calculate  the  K-bit  RESULT,  by  exclusive-ORing  the  leftmost  K-bits  of  OB; 
with  the  K-bit  TEXT,  i.e.,  (RESULTl^,  RESULT2,,...,  RESULTK,)  = 

(OB  1  jSTEXTl ,  OB2ieTEXT2,...,OBKieTEXTK). 

d.  Forward  the  current  values  of  the  loop  number  i,  KEY,  IVj,  K-bit  TEXT  and  K- 
bit  RESULT,  to  the  MOVS,  as  specified  in  Output  Type  2. 

e.  Assign  a  new  value  to  IV|+,  by  setting  it  equal  to  the  value  of  a  basis  vector  with 
a  "1"  bit  in  position  i+1  ,  where  i=1...64. 

f.  Assign  a  new  value  to  the  K-bit  TEXTj+,  by  setting  it  equal  to  the  corresponding 
output  from  the  Variable  Text  Known  Answer  test  for  the  CFB  mode. 

NOTE:  This  processing  continues  until  all  ciphertext  values  from  the  Variable  Text 
Known  Answer  test  have  been  used  as  input.  The  output  from  the  lUT  shall  consist  of 
64  output  strings.  Each  output  string  shall  consist  of  information  included  in  Output 
Type  2. 

The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values.  The  RESULT  values  should  be  all  zeros. 
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5.3.1.3  The  Variable  Key  Known  Answer  Test  -  CFB  Mode 


NOTE:  If  Skipjack,  K  shall  equal  64. 


MOVS:  Initialize  KEY:     If  DES,  KEY,  =  8001010101010101  (odd  parity  set) 

If  Skipjack,  KEY,  =  80000000000000000000 
IV  =0000000000000000 
K-bit  TEXT  =  0 
Send  KEY,  IV,  K-bit  TEXT 


lUT:      FOR  i  =  1  to  «,  where  «  =  64  if  DES,  80  if  Skipjack 

{ 

IF  (algorithm  ==  Skipjack)  {process  all  bits} 
OR 

(algorithm  ==  DES  AND  i  %8  !=  0) 

{process  all  bits  except  parity  bits} 

{ 

IB,  =  IV 

Perform  algorithm  in  encrypt  state  using  KEY;,  resulting  in  OB; 

K-bit  RESULTi=  leftmost  K  bits  of  OB,  denoted  LM''(OBi)  e  K-bit  TEXT 

Send  i,  KEYi,  IV,  K-bit  TEXT,  K-bit  RESULTj 

KEYj+i  =  vector  consisting  of  "0"  in  every  significant  bit  position  except  for  a 
single  "1"  bit  in  position  i+1.  Each  parity  bit  may  have  the  value  "1"  or  "0"  to 
make  the  KEY  odd  parity. 

} 


MOVS:  Compare  results  of  the  n  encryptions  with  known  answers 

If  DES,  use  K  bits  of  the  results  in  Appendix  B,  Table  2.  If  Skipjack,  use  64  bits  of  the  results  in 
Appendix  B,  Table  6. 


Figure  5.27  The  Variable  Key  Known  Answer  Test  -  CFB  Mode 


Figure  5.27  illustrates  the  Variable  Key  Known  Answer  test  for  the  CFB  Mode.  (Note,  if  the 
lUT  is  of  the  Skipjack  algorithm,  K  shall  equal  64.) 

1.       The  MOVS  shall: 

a,        Initialize  KEY,  to  contain  a  "0"  in  every  significant  bit  except  for  a  "1"  in  the 

first  position.  For  example,  if  validating  an  lUT  of  the  DES  algorithm,  the  64  bit 
KEY,  b,n=  10000000  00000001  00000001  00000001  00000001  00000001 
00000001  00000001.  The  equivalent  of  this  value  in  hexadecimal  notation  is  80 
01010101010101.  Note  that  the  parity  bits  are  set  to  "0"  or  "1"  to  get  odd 
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parity. 


If  validating  an  lUT  of  the  Skipjack  algorithm,  the  80-bit  KEY,    =  10000000 
00000000  00000000  00000000  00000000  00000000  00000000  00000000 
00000000  00000000.  The  equivalent  of  this  value  in  hexadecimal  notation  is  80 
00  00  00  00  00  00  00  00  00. 

b.  Initialize  the  64-bit  initialization  vector  IV  to  the  value  of  0,  i.e.,  TVi,^  =  00  00  00 
00  00  00  00  00. 

c.  Initialize  the  K-bit  TEXT  to  the  value  of  0.  It  shall  be  represented  as  K  binary 
bits,  where  K=1...64  for  DES  and  K=1...80  for  Skipjack,  i.e.,  TEXTbin=0,02...0K. 
This  shall  then  be  translated  into  hexadecimal. 

d.  Forward  this  information  to  the  lUT  using  Input  Type  2. 


2.       The  lUT  shall  perform  the  following  for  i  =  1  to  n:  (NOTE:  n  equals  the  number  of 
significant  bits  in  a  DES  or  Skipjack  key.) 

a.  Assign  the  value  of  the  IV  to  IBj,  i.e.,  (IBlj,  IB2i,...,  IB64i)  =  (IVl,  IV2,...,  IV64). 

b.  Using  the  corresponding  KEY,  process  IBj  through  the  DES  or  Skipjack 
algorithm  in  the  encrypt  state  resulting  in  OBj. 

c.  Calculate  the  K-bit  RESULTj  by  exclusive-ORing  the  leftmost  K-bits  of  OBj, 
denoted  LM'^(OBi),  with  the  K-bit  TEXT,  i.e.,(RESULTli,  RESULT2i,..., 
RESULTK,)  =  (OBl.eTEXTl,  OB2ieTEXT2,...,OBK,eTEXTK). 

d.  Forward  the  current  value  of  the  loop  number  i,  KEYj,  IV,  K-bit  TEXT  and  K-bit 
RESULTj  to  the  MOVS,  as  specified  in  Output  Type  2. 

e.  Set  KEYj+,  equal  to  the  vector  consisting  of  "0"  in  every  significant  bit  position 
except  for  a  single  "1"  bit  in  position  i+1.  The  parity  bits  contain  "1"  or  "0"  to 
make  odd  parity. 

NOTE:  The  above  processing  shall  continue  until  every  significant  basis  vector  has 
been  represented  by  the  KEY  parameter.  The  output  from  the  lUT  for  this  test  shall 
consist  of  56  output  strings  if  the  lUT  implements  the  DES  algorithm,  and  80  output 
strings  if  the  lUT  implements  the  Skipjack  algorithm.  Each  output  string  shall  consist  of 
information  included  in  Output  Type  2. 
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The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  received  results 
to  known  values  found  in  Appendix  B,  Table  2  for  DES  or  Table  6  for  Skipjack.  For 
lUTs  of  DES  where  K  is  less  than  64,  the  leftmost  K  bits  of  output  for  each  CT  in  Table 
2  shall  be  used. 
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5.3.1.4 

NOTE: 


The  Permutation  Operation  Known  Answer  Test  -  CFB  Mode 

This  test  shall  only  be  performed  for  the  DES  algorithm. 


MOVS;  Initialize  KEYj  (where  i  =1-32)  =  32  KEY  values  in  Appendix  B,  Table  3 

IV  =  0000000000000000 
K-bit  TEXT  =  0 
Send  K-bit  TEXT,  IV,  KEYi,  KEY2,...,KEY32 

lUT:      FOR  i  =  1  to  32 
{ 

IBi  =  IV 

Perform  DES  algorithm  in  encrypt  state,  resulting  in  OBi 
K-bit  RESULTi=  LM''(OB,)  ©  K-bit  TEXT 
Send  i,  KEYi,  IV,  K-bit  TEXT,  K-bit  RESULT; 
KEY;,,  =  Corresponding  KEYj+i  from  MOVS 

} 

MOVS:  Compare  results  from  each  loop  with  known  answers 


Figure  5.28  The  Permutation  Operation  Known  Answer  Test  -  CFB  Mode 


As  summarized  in  Figure  5.28,  the  Permutation  Operation  Known  Answer  test  for  the  CFB 
mode  shall  be  performed  as  follows: 

1.       The  MOVS  shall: 

a.  Initialize  the  KEY  parameter  with  the  32  constant  KEY  values  from  Appendix  B, 
Table  3. 

b.  Initialize  the  64-bit  initialization  vector  IV  to  the  value  of  0,  i.e.,  IVhex=00  00  00 
00  00  00  00  00. 

c.  Initialize  the  K-bit  TEXT  to  the  value  of  0.  The  TEXT  shall  be  represented  as  K 
hexadecimal  bits,  where  K=1...64binOr  K=\..A6^,^,  i.e.,  TEXThex=0,02...0k. 

d.  Forward  this  information  to  the  lUT  using  Input  Type  8. 


2.       The  lUT  shall  perform  the  following  for  i  =  1  to  32: 
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a.  Assign  the  value  of  the  IV  to  IBi,  i.e.,  (IBlj,  132;,...,  1364;)  =  (IVl,  IV2,...,  IV64). 

b.  Process  IBj  through  the  DES  algorithm  in  the  encrypt  state,  resulting  in  OB;. 

c.  Calculate  the  K-bit  RESULT;  by  exclusive-ORing  the  leftmost  K-bits  of  OB;, 
LM'*^(OBi),  with  the  K-bit  TEXT,  i.e.,(RESULTli,  RESULTl;,...,  RESULTK;)  = 
(OBlieTEXTl,OB2ieTEXT2,...,OBK,©TEXTK). 

d.  Forward  the  current  values  of  the  loop  number  i,  KEYj,  IV,  K-bit  TEXT  and  K- 
bit  RESULT,  to  the  MOVS,  as  specified  in  Output  Type  2. 

e.  Set  KEYj+i  equal  to  the  corresponding  KEY  supplied  by  the  MOVS. 

NOTE:  The  above  processing  shall  continue  until  all  32  KEY  values,  as  specified  in 
Input  Type  8,  are  processed.  The  output  from  the  lUT  for  this  test  shall  consist  of  32 
output  strings.  Each  output  string  shall  consist  of  information  included  in  Output  Type 
2. 

The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values  found  in  Appendix  B,  Table  3. 
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5.3.1.5  The  Substitution  Table  Known  Answer  Test  -  CFB  Mode 

NOTE:  This  test  shall  only  be  performed  for  the  DES  algorithm. 


MOVS;  Initialize 


KEY;  (where  i=l-19)  =  19  KEY  values  in  Appendix  B,  Table  4 
IV,  (where  i=l-19)  =  19  corresponding  TEXT  values  in  Table  4 
K-bit  TEXT  =  0 

K-bit  TEXT,  19,  KEY,,  IV„  KEYj,  IV^,...,  KEY,,,  IV„ 


Send 


lUT: 


FORi 


1  to  19 


IBi  =  IVi 

Perform  DES  algorithm  in  encrypt  state,  resulting  in  OB, 

K-bit  RESULT,=  LM''(OB,)  ®  K-bit  TEXT 

Send  i,  KEY,,  IV,,  K-bit  TEXT,  K-bit  RESULT; 

KEYi^,  =  KEYi,,  from  MOVS 

IV,+,  =  corresponding  DATAj^,  from  MOVS 


MOVS:  Compare  results  from  each  loop  with  known  answers 


Figure  5.29  The  Substitution  Table  Known  Answer  Test  -  CFB  Mode 


Figure  5.29  illustrates  the  Substitution  Table  Known  Answer  test  for  the  CFB  Mode. 

1.       The  MOVS  shall: 

a.       Initialize  the  KEY-DATA  pairs  with  the  19  constant  KEY-DATA  values  from 
Appendix  B,  Table  4.  The  DATA  values  shall  then  be  assigned  to  the  values  of 
the  initialization  vectors  IV. 


b.       Initialize  the  K-bit  TEXT  to  the  value  of  0,  where  K=l ...64,  i.e., 
TEXT,i=0,02...0K. 


c.        Forward  this  information  to  the  lUT  using  Input  Type  1 1 . 
2.       The  lUT  shall  perform  the  following  for  i  =  1  to  19: 

a.  Assign  the  value  of  IVi  to  IBj,  i.e.,  (IBl^,  IB2,,...,  IB64i)  =  (IVlj,  IV2i,...,  IV64i). 

b.  Process  IBj  through  the  DES  algorithm  in  the  encrypt  state,  resulting  in  OBj. 
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c.  Calculate  the  K-bit  RESULTj  by  exclusive-ORing  the  leftmost  K-bits  of  OBj, 
LM'^(OBi),  with  the  K-bit  TEXT,  i.e.,(RESULTlj,  RESULTlj,...,  RESULTK^)  = 
(OBlieTEXTl,OB2ieTEXT2,...,OBKi®TEXTK). 

d.  Forward  the  current  value  of  the  loop  number  i,  KEYj,  IV,  the  K-bit  TEXT,  and 
the  K-bit  PIESULT,. 

e.  Set  KEYj+i  equal  to  the  corresponding  KEY  in  the  input  from  the  MO  VS. 

f.  Set  IVj+,  equal  to  the  corresponding  DATA  value  in  the  input  from  the  MOVS. 

NOTE:  The  above  processing  shall  continue  until  all  19  KEY-DATA  pairs,  as  specified 
in  Input  Type  1 1,  are  processed.  The  output  from  the  lUT  for  this  test  shall  consist  of  19 
output  strings.  Each  output  string  shall  consist  of  information  included  in  Output  Type 
2. 

The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values  found  in  Appendix  B,  Table  4. 
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5.3.2  The  Modes  Tests  -  CFB  Mode 


The  Modes  tests  required  to  validate  an  lUT  for  the  CFB  mode  of  operation  shall  be  determined 
by  the  process  or  processes  allowed  by  an  lUT.  The  K-bit  CFB  Modes  test  for  the  Encryption 
Process  shall  be  successfully  completed  if  an  lUT  supports  the  encryption  process  of  the  CFB 
mode  of  operation.  The  K-bit  CFB  Modes  test  for  the  Decryption  Process  shall  be  successfully 
completed  if  an  lUT  supports  the  decryption  process. 


5.3.2.1  The  K-bit  CFB  Modes  Test  for  the  Encryption  Process  -  CFB  Mode 


MOVS:  Initialize  KEYq,  IV,  K-bit  PTo 

Send  KEYo,  IV,  K-bit  PTo 

lUT:      FOR  i  =  0  TO  399 
{ 

lf(i==0)  IBo  =  IV 
Record  i,  KEY,,  PTo 
FORj  =  0  TO  9,999 
{ 

Perform  algorithm  in  encrypt  state,  resulting  in  OBj. 
Select  the  leftmost  K  bits  of  the  OBj,  LM'^(OBj), 

discarding  the  rest. 
K-bit  CTj  =  LM''(OBj)  ®  K-bit  PTj 
K-bit  PT^^,  =  LM''(IBj) 
IBj^,  =  RM'^'''(IBj)  II  K-bit  CT^ 

} 

Record  K-bit  CTj,  IBq 

Send  i,  KEY;,  IBq,  K-bit  PTq,  K-bit  CTj 

KEY,^,  =  KEY,  ®  last  n  bits  of  CT,  where  «=64  if  DES,  «=80  if  Skipjack 

K-bit  PTo  =  LW^ilB^gs) 

IBo  =  RM'^''\IB9999)  II  K-bit  CT,,,, 

} 

MOVS:  Check  the  lUT's  output  for  correctness 


Figure  5.30  The  Modes  Test  for  the  Encryption  Process  -  K-bit  CFB  Mode 


As  summarized  in  Figure  5.30,  the  K-bit  CFB  Modes  test  for  the  Encryption  Process  shall  be 
performed  as  follows: 

I 

1.       The  MOVS  shall: 

a.        Initialize  KEY,  the  initialization  vector  IV  and  the  plaintext  PT  variables.  The 
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IV  shall  consist  of  64  bits.  The  PT  shall  be  represented  as  K-bits,  where 
K=1...64.  The  KEY  length  shall  be  dependent  on  the  algorithm  implemented  by 
the  lUT. 

b.       Forward  these  values  to  the  lUT  using  Input  Type  2. 


The  lUT  shall  perform  the  following  for  i  =  0  through  399: 

a.  If  i  =  0  (if  this  is  the  first  time  through  the  loop),  set  the  input  block  IBq  equal  to 
the  value  of  the  IV,  i.e.,  (IBlo,  IB2o,...,IB64o)  =  (IVl,  IV2,...,IV64). 

b.  Record  the  current  value  of  the  outer  loop  number  i,  KEYj,  and  the  K-bit  PTq. 

c.  For  j=0  through  9999,  perform  the  following: 

i.  Process  IBj  through  the  DBS  or  Skipjack  algorithm  in  the  encrypt  state, 
resulting  in  a  64-bit  output  block  OBj. 

ii.  Calculate  the  K-bit  ciphertext  CTj  by  exclusive-ORing  the  leftmost  K-bits 
of  OBj  with  the  K-bit  PTj,  i.e.,  (CTlj,  CT2j,...,  CTK^)  =  (OBlj©PTlj, 
OB2j®PT2j, ...  OBKjePTKj). 

iii.  Prepare  for  loop  j+1  by  doing  the  following: 

Assign  the  K-bit  PTj+,  with  the  value  of  the  leftmost  K-bits  of  the 
IB^,  i.e.,  (PTlj,„  PT2j,„  ...  PTKj,,)  =  (IBlj,  IB2j, IBK^). 

Assign  IBj+,  with  the  value  of  the  concatenation  of  the  rightmost 
(64-K)  bits  of  IBj  with  the  K-bit  CTj,  i.e.,(IBlj^„  IB2j^„...,IB64j^i) 
=  (IB[K+H,  IB[K+2]j,...,  IB64j,  CTlj,  CT2j,...,CTKj). 

d.  Record  the  K-bit  CTj  and  IBj 

e.  Output  all  recorded  values  for  this  loop,  as  specified  in  Output  Type  2,  to  the 
MOVS. 


f.        In  preparation  for  the  next  output  loop: 

i.      Assign  a  new  value  to  the  KEY  in  preparation  for  the  next  outer  loop. 

The  new  KEY  shall  be  calculated  by  exclusive-ORing  the  current  KEY  of 
length  n  with  n  bits  of  CT. 
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For  lUTs  of  the  DES  algorithm,  if  the  length  of  the  CT  is  less  than  64  (the 
length  of  a  DES  key),  the  CT  shall  be  expanded  in  length  to  64  bits 
before  forming  the  new  KEY.  This  expansion  shall  be  accomplished  by 
concatenating  x  of  the  most  current  CTs  together  to  obtain  64  bits  of  CT. 
For  example,  if  the  length  of  the  CT  is  14  (K=14),  the  expanded  CT  = 

(CT79995  ...  CTI49995,  CTl999g  ...  CT14999g,  CTI9997  ...  CTI49997,  CTlgggg  ... 

CT14999g,  CTI9999 ...  CTI49999).  This  value  shall  then  be  exclusive-ORed 
with  the  current  KEY  to  form  the  new  KEY.  Using  the  same  example  as 
above,  (KEYl,,,,  KEY2,+„  ...  KEY64i„)  =  (KEYli®CT79995, ... 
KEY8ieCT149995,  KEY9ieCTl9996, ...  KEY22i©CT149996, 
KEY23ieCTl9997, ...  KEYS 6jeCTl 49997,  KEY37jeCTl9998, ... 
KEY50i©CT149998,  KEY51i®CT79999, ...  KEY64j®CTl 49999,). 

For  lUTs  of  the  Skipjack  algorithm,  CT  shall  be  expanded  in  length  to  80 
bits  (the  length  of  a  Skipjack  key)  before  the  new  KEY  can  be  formed. 
This  expansion  shall  be  accomplished  in  the  same  manner  described 
above  for  DES.  The  resulting  value  shall  then  be  exclusive-ORed  with 
the  current  KEY  to  form  the  new  KEY. 

ii.  Assign  a  new  value  to  the  K-bit  PTq.  The  K-bit  PTq  shall  be  assigned  the 
value  of  the  leftmost  K-bits  of  the  current  IB,  i.e.,  (PTIq,  PT2o,  ...  PTKq) 
—  (IB  1 9999,  IB29999, IBK9999). 

iii.  Assign  a  new  value  to  IBq.  IBq  shall  be  assigned  the  value  of  the 
rightmost  (64-K)  bits  of  the  current  IB  concatenated  with  the  current  K- 
bit  CT,  i.e.,  (IBlo,  IB2o,...,IB64o)  =  (IB[K+1]9999,  IB[K+2]9999,...,  IB649999, 
CTI9999,  CT29999,...,  CTK9999).  (Note  that  the  new  PT  and  IB  shall  be 
denoted  as  PTq  and  IBq  because  these  values  are  used  for  the  first  pass 
through  the  inner  loop  when  j=0.) 

NOTE:  The  output  from  the  lUT  for  this  test  shall  consist  of  400  output  strings.  Each 
output  string  shall  consist  of  information  included  in  Output  Type  2. 

3.       The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values. 
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5.3.2.2  The  Modes  Test  for  the  Decryption  Process  -  CFB  Mode 


MOVS:  Initialize  KEYq,  IV,  K-bit  CTo 

Send  KEYo,  IV,  K-bit  CTq 


lUT:      FOR  i  =  0  TO  399 

{ 

if(i==0)  IBo  =  IV 
Record  i,  KEYi,  K-bit  CTo 
FORj  =  0TO  9,999 

{ 

Perform  algorithm  in  encrypt  state,  resulting  in  OBj. 
Select  the  leftmost  K  bits  of  the  OBj,  LM'^(OBj), 

discarding  the  rest. 
K-bit  PTj  =  LM'^(OBj)  e  K-bit  CTj 
IBj^i  =  RM'^-'^^IBj)  II  K-bit  CTj 
K-bit  CTj^,  =  LM^(OBj) 

} 

Record  IBq,  K-bit  PTj 

Send  i,  KEYj,  IBq,  K-bit  PT„  K-bit  CT, 

KEYi+i  =  KEYi  e  last  n  bits  of  PT,  where  «=64  if  DES,  az=80  if  Skipjack 
IBo  =  RM'^-''VIB999,)  II  K-bit  CT^, 
K-bit  CTo  =  LM''(0B9995) 


MOVS:  Check  the  lUT's  output  for  correctness 


Figure  5.31  The  Modes  Test  for  the  Decryption  Process  -  CFB  Mode 


Figure  5.31  illustrates  the  Modes  test  for  the  CFB  Decryption  Process. 
1.       The  MOVS  shall: 

a.  Initialize  KEY,  the  initialization  vector  IV,  and  the  ciphertext  CT  variables.  The 
IV  shall  consist  of  64  bits,  and  the  CT  shall  be  represented  as  K  bits,  where 
K=l ...64.  The  KEY  length  shall  be  dependent  on  the  algorithm  implemented. 

b.  Forward  these  values  to  the  lUT  using  Input  Type  2. 
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2.       The  lUT  shall  perform  the  following  for  i  =  0  through  399: 

a.  If  i  =  0  (if  this  is  the  first  time  through  the  loop),  set  the  input  block  IBq  equal  to 
the  value  of  IV,  i.e.,  (IBIq,  IB2o,...,IB64o)  =  (IVl,  IV2,...,1V64). 

b.  Record  the  current  value  of  the  outer  loop  number  i,  KEYj,  and  the  K-bit  CT,. 

c.  For  j=0  through  9999,  perform  the  following: 

i.  Process  IBj  through  the  DES  or  Skipjack  algorithm  in  the  encrypt  state, 
resuhing  in  a  64-bit  output  block  OBj. 

ii.  Calculate  the  K-bit  PT  by  exclusive-ORing  the  leftmost  K-bits  of  OB^ 
with  the  K-bit  CT^,  i.e.,  (PTl^,  PT2j,...,  PTK^)  =  (OBljeCTlj,  OB2j®CT2j, 
...  OBK^eCTK^). 

iii.  Prepare  for  loop  j+1  by  doing  the  following: 

-  Assign  IBj+i  with  the  value  of  the  concatenation  of  the  rightmost  (64-K) 
bits  of  the  IBj  with  the  K-bit  CTj,  i.e.,(IBlj+,,  IB2j+i,...,IB64j+,)  = 
(IB[K+H,  IB[K+2]j,...,  IB64j,  CTl^,  CT2j,...,CTKj). 

-  Assign  the  K-bit  CTj+|  with  the  value  of  the  leftmost  K-bits  of  OBj,  i.e., 
(CTlj,,,  CT2j,„  ...  CTKj,,)  =  (OBlj,  0B2j, OBK^). 

d.  Record  IBj  and  PTj . 

e.  Output  all  recorded  values  for  this  loop,  as  specified  in  Output  Type  2. 

f.  In  preparation  for  the  next  outer  loop: 


i.       Assign  a  new  value  to  the  KEY  in  preparation  for  the  next  outer  loop. 

The  new  KEY  shall  be  calculated  by  exclusive-ORing  the  current  KEY  of 
length  n  with  n  bits  of  PT. 

For  lUTs  of  the  DES  algorithm,  if  the  length  of  the  PT  is  less  than  64  (the 
length  of  a  DES  key),  the  PT  shall  be  expanded  in  length  to  64  bits  before 
forming  the  new  KEY.  This  expansion  shall  be  accomplished  by 
concatenating  x  of  the  most  current  PTs  together  to  obtain  64  bits  of  PT. 
For  example,  if  the  length  of  the  PT  is  14  (K=14),  the  expanded  PT  = 
(PT79995 ...  PT  149995,  -PTlgggg ...  PTl 49995,  PT  1 9997 ...  PTl 49997,  PT  19993  ••• 
PT  149998,  PTl 9999 ...  PTl 49999).  This  value  shall  then  be  exclusive-ORed 
with  the  current  KEY  to  form  the  new  KEY.  Using  the  same  example  as 
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above,  (KEYli,,,  KEY2,,„  ...  KEY64i„)  =  (KEYliSPTT^^^, ... 
KEY8i®PTl  V5,  KEY%®?TU,,„  ...  KEYlliePTH^^^^,  KEY23,®?T\,,,„ 
...  KEY36j©PT149997,  KEY37,®PTlgg,^, ...  KEYSOjePTlVg, 
KEY51i©PT79999, ...  KEY64jePT149999,)- 

For  lUTs  of  the  Skipjack  algorithm,  the  PT  shall  be  expanded  in  length  to 
80  bits  (the  length  of  a  Skipjack  key)  before  the  new  KEY  can  be  formed. 
This  expansion  shall  be  accomplished  in  the  same  manner  described 
above  for  DES.  The  resulting  value  shall  then  be  exclusive-ORed  with 
the  current  KEY  to  form  the  new  KEY. 

ii.  Assign  a  new  value  to  IBq.  IBq  shall  be  assigned  the  value  of  the 
rightmost  (64-K)  bits  of  the  current  IB  concatenated  with  the  current  K- 
bit  CT,  i.e.,  (IBlo,  IB2o,...,IB64o)  =  (m[K+\],,,„  m[K+2U,„...,  IB649999, 
CTI9999,  CT29999,...,  CTK9999). 

iii.  Assign  a  new  value  to  CTq.  CTq  shall  be  assigned  the  value  of  the 
leftmost  K-bits  of  the  current  OB,  LM'^(OB9999),  i.e.,  (CTIq,  CT2o,  ... 
CTKo)  =  (OBI9999,  OB29999, OBK9999).  (Note  that  the  new  CT  and  IB 
shall  be  denoted  as  CTq  and  IBq  because  these  values  are  used  for  the  first 
pass  through  the  inner  loop  when  j=0.) 

NOTE:  The  output  from  the  lUT  for  this  test  shall  consist  of  400  output  strings.  Each 
output  string  shall  consist  of  information  included  in  Output  Type  2. 

The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received 
results  to  known  values. 
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5.4      The  Output  Feedback  Mode  -  OFB  Mode 


The  lUTs  of  the  DES  and  Skipjack  algorithm  in  the  Output  Feedback  (OFB)  mode  shall  be 
validated  by  successfully  completing  a  set  of  Known  Answer  tests  and  a  Modes  test  applicable  to 
both  lUTs  supporting  the  encryption  and/or  the  decryption  processes.  Encryption  and  decryption 
using  the  OFB  mode  of  operation  involve  processing  an  input  block  through  the  encrypt  state  of 
the  specified  algorithm.  Therefore,  the  same  set  of  Known  Answer  tests  and  Modes  test  can  be 
applied  to  lUTs  supporting  both  encryption  and  decryption. 

The  process  of  validating  an  lUT  of  the  OFB  mode  of  the  DES  algorithm  which  implements  the 
encryption  and/or  decryption  processes  shall  involve  the  successful  completion  of  the  following 
six  tests: 

1 .  The  Variable  Text  Known  Answer  Test  -  OFB  mode 

2.  The  Inverse  Permutation  Known  Answer  Test  -  OFB  mode 

3.  The  Variable  Key  Known  Answer  Test  -  OFB  mode 

4.  The  Permutation  Operation  Known  Answer  Test  -  OFB  mode 

5.  The  Substitution  Table  Known  Answer  Test  -  OFB  mode 

6.  The  Modes  Test  -  OFB  mode 

The  lUTs  of  the  Skipjack  algorithm  shall  successfully  complete  tests  1,  2,  3,  and  6  only. 
An  explanation  of  the  tests  for  the  OFB  mode  follows. 

5.4.1  The  Known  Answer  Tests  -  OFB  Mode 

In  the  following  description  of  the  Known  Answer  tests,  TEXT  refers  to  plaintext,  and  RESULT 
refers  to  ciphertext  if  the  lUT  implements  the  encryption  process  of  the  OFB  mode  of  operation. 
If  the  lUT  supports  the  decryption  process  of  the  OFB  mode  of  operation,  TEXT  refers  to 
ciphertext,  and  RESULT  refers  to  plaintext. 
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5.4.1.1  The  Variable  Text  Known  Answer  Test  -  OFB  Mode 


MOVS:Initialize  KEY:     If  DES,  KEY  =  0101010101010101  (odd  parity  set) 

If  Skipjack,  KEY  =  00000000000000000000 
IV,=  8000000000000000 
TEXT  =  0000000000000000 
Send      KEY,  IV„  TEXT 

lUT:      FOR  i  =  1  to  64 
{ 

IBi  =  IVi 

Perfonn  algorithm  in  encrypt  state  resulting  in  OBj 
RESULT,=  OBj®  TEXT 
Send  i,  KEY,  IVi,TEXT,  RESULT; 
IVj+i  =    basis  vector  where  single  "  1 "  bit  is  in  position  i+1 


} 


MOVS:  Compare  results  from  each  loop  with  known  answers 

If  DES,  use  Appendix  B,  Table  1 .  If  Skipjack,  use  Appendix  B,  Table  5. 


Figure  5.32  The  Variable  Text  Known  Answer  Test  -  OFB  Mode 


Figure  5.32  illustrates  the  Variable  Text  Known  Answer  test  for  the  OFB  Mode. 
1.       The  MOVS  shall: 

a.  Initialize  the  KEY  parameter  to  the  constant  hexadecimal  value  0.  For  lUTs  of 
the  DES  algorithm,  the  KEYhe^  =  0101010101010101.  Note  that  the 
significant  bits  are  set  to  "0"  and  the  parity  bits  are  set  to  "  1 "  to  make  odd  parity. 
For  lUTs  of  the  Skipjack  algorithm,  the  KEYhe^  =  00  00  00  00  00  00  00  00  00  00. 

b.  Initialize  the  64  bit  initialization  vector  IV,  to  the  basis  vector  containing  a  "  1 "  in 
the  first  bit  position  and  "0"  in  the  following  63  positions,  i.e.,  IV,  ^-^^  =  10000000 
00000000  00000000  00000000  00000000  00000000  00000000  00000000.  The 
equivalent  of  this  value  in  hexadecimal  notation  is  80  00  00  00  00  00  00  00. 

c.  Initialize  the  TEXT  parameter  to  the  constant  hexadecimal  value  0,  i.e.,  TEXT,,^^ 
=  00  00  00  00  00  00  00  00. 
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d.       Forward  this  information  to  the  lUT  using  Input  Type  2. 


The  lUT  shall  perform  the  following  for  i  =  1  through  64: 

a.  Assign  the  value  oflY,  to  the  input  block  IB;  i.e.,  (IBlj,  IB2i,...,  IB64i)  =  (IVlj, 
IV2i,...,  IV64i). 

b.  Process  IBj  through  the  DES  or  Skipjack  algorithm  in  the  encrypt  state,  resulting 
in  output  block  OBj. 

c.  Calculate  RESULT,  by  exclusive-ORing  OB,  with  TEXT,  i.e.,  (RESULT  1^, 
RESULT2i,...,  RESULT64;)  =  (OBliSTEXTl,  OB2j®TEXT2, 
OB64i®TEXT64). 

d.  Forward  the  current  value  of  the  loop  number  i,  KEY,  IVj,  TEXT,  and  RESULTj 
to  the  MOVS,  as  specified  by  Output  Type  2. 

e.  Assign  a  new  value  to  IVi+,  by  setting  it  equal  to  the  value  of  a  basis  vector  with  a 
"1"  bit  in  position  i+1,  where  i=1...64. 


NOTE:  This  processing  shall  continue  until  every  possible  basis  vector  has  been 
represented  by  the  IV,  i.e.,  64  times.  The  output  from  the  lUT  for  this  test  shall  consist  of 
64  output  strings.  Each  output  string  shall  consist  of  information  included  in  Output 
Type  2. 


The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received  results 
to  known  values  found  in  Appendix  B,  Table  1  for  DES  and  Table  5  for  Skipjack  . 
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5.4.1.2  The  Inverse  Permutation  Known  Answer  Test  -  OFB  Mode 


MOVS:Initialize  KEY:     If  DES,  KEY  =  0101010101010101  (odd  parity  set) 

If  Skipjack,  KEY  =  00000000000000000000 
IV,=  8000000000000000 

TEXTj  (where  i=l-64)  =  64  RESULT  values  from  the  Variable  Text  Known  Answer  test 
Send     KEY,  IV„  64,  TEXT,  ...  TEXT^ 


lUT:      FOR  i  =  1  to  64 
{ 

Perform  algorithm  in  encrypt  state  resulting  in  OBj 

RESULTi=  OBi®  TEXT 

Send  i,  KEY,  IVi,TEXT,  RESULT, 

rVj+i  =    basis  vector  where  single  "  1 "  bit  is  in  position  i+1 

TEXTj+i  =  corresponding  RESULT  value  from  the  Variable  Text  Known  Answer  test 


MOVS:  Compare  RESULT  from  each  loop  with  known  answers. 
The  TEXT  should  be  all  zeros. 


Figure  5.33  The  Inverse  Permutation  Known  Answer  Test  -  OFB  Mode 


Figure  5.33  illustrates  the  Inverse  Permutation  Known  Answer  test  for  the  OFB  Mode. 
1.       The  MOVS  shall: 

a.  Initialize  KEY  parameter  to  the  constant  hexadecimal  value  0.  For  lUTs  of  the 
DES  algorithm,  the  KEY^ex  =  0101010101010101.  Note  that  the  significant 
bits  are  set  to  "0"  and  the  parity  bits  are  set  to  "1"  to  make  odd  parity. 

For  lUTs  of  the  Skipjack  algorithm,  the  KEY^e^  =  00  00  00  00  00  00  00  00  00  00. 

b.  Initialize  the  64  bit  initialization  vector  IV,  to  the  basis  vector  containing  a  "  1 "  in 
the  first  bit  position  and  "0"  in  the  following  63  positions,  i.e.,  IV,    =  10000000 
00000000  00000000  00000000  00000000  00000000  00000000  00000000.  The 
equivalent  of  this  value  in  hexadecimal  notation  is  80  00  00  00  00  00  00  00. 

c.  Initialize  the  TEXTj  parameter  (where  i=  1-64)  to  the  RESULTj  obtained  from  the 
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Variable  Plaintext  Known  Answer  test. 


d.       Forward  this  information  to  the  lUT  using  Input  Type  5. 


The  lUT  shall  perform  the  following  for  i  =  1  through  64: 

a.  Assign  the  value  of  IVj  to  the  input  block  IBj  i.e.,  (IBl;,  162;,...,  IB64i)  =  (IVl^, 
IV2,...,  IV64X 

b.  Process  IB;  through  the  DES  or  Skipjack  algorithm  in  the  encrypt  state,  resulting 
in  output  block  OB^. 

c.  Calculate  RESULT;  by  exclusive-ORing  OB,  with  TEXT,  i.e.,  (RESULT Ij, 
RESULT2i,...,  RESULT64i)  =  (OBljeTEXTl,  OB2i®TEXT2, 
OB64i®TEXT64). 

d.  Forward  the  current  value  of  the  loop  number  i,  KEY,  IV;,  TEXT,  and  RESULTj 
to  the  MOVS,  as  specified  by  Output  Type  2. 

e.  Assign  a  new  value  to  IVj+i  by  setting  it  equal  to  the  value  of  a  basis  vector  with  a 
"1"  bit  in  position  i+1,  where  i=1...64. 

f.  Assign  a  new  value  to  the  TEXTj+i  by  setting  it  equal  to  the  corresponding 
RESULT  value  from  the  Variable  Text  Known  Answer  test  for  the  OFB  mode. 


NOTE:  This  processing  shall  continue  until  all  ciphertext  values  from  the  Variable  Text 
Known  Answer  Text  have  been  used  as  input.  The  output  from  the  lUT  for  this  test  shall 
consist  of  64  output  strings.  Each  output  string  shall  consist  of  information  included  in 
Output  Type  2. 


The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received  results 
to  known  values.  The  RESULT  values  should  be  all  zeros. 
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5.4.1.3  The  Variable  Key  Known  Answer  Test  -  OFB  Mode 


MOVS:  Initialize  KEY,:    If  DES,  KEYi=8001010101010101  (odd  parity  set) 

If  Skipjack,  KEY, =80000000000000000000 
IV  =  0000000000000000 
TEXT  =  0000000000000000 
Send  KEY,,  IV,  TEXT 


JUT:      FOR  i  =  1  to  n,  where  n  =  64  if  DES,  80  if  Skipjack 

{ 

IF  (Skipjack)  {process  all  bits} 
or 

(DES  AND  i  %8  !=  0) 

{process  all  bits  except  parity  bits} 

{ 

IB,  =  IV 

Perform  algorithm  in  encrypt  state,  resulting  in  OB, 

RESULTi=  OB;  e  TEXT 

Send  i,  KEY,,  IV,  TEXT,  RESULT, 

KEY|+,  =  vector  consisting  of  "0"  in  every  significant  bit  position  except  for  a 
single  "  1 "  bit  in  position  i+1 .  Each  parity  bit  may  have  the  value  "  1 "  or  "0"  to 
make  the  KEY  odd  parity. 

} 


MOVS:  Compare  results  of  the  n  encryptions  wath  known  answers 

If  DES,  use  Appendix  B,  Table  2.  If  Skipjack,  use  Appendix  B,  Table  6. 


Figure  5.34  The  Variable  Key  Known  Answer  Test  -  OFB  Mode 


As  summarized  in  Figure  5.34,  the  Variable  Key  Known  Answer  test  for  the  OFB  mode  shall  be 
performed  as  follows: 

1.       The  MOVS  shall: 

a.        Initialize  KEY,  to  contain  a  "0"  in  every  significant  bit  except  for  a  "  1 "  in  the  first 
position.  For  an  lUT  of  the  DES  algorithm,  the  64  bit  KEY,    =  10000000 
00000001  00000001  00000001  00000001  00000001  00000001  00000001.  The 
equivalent  of  this  value  in  hexadecimal  notation  is  80  01  01  01  01  01  01  01. 
Note  that  the  parity  bits  are  set  to  "0"  or  "  1 "  to  get  odd  parity. 

For  an  JUT  of  the  Skipjack  algorithm,  the  80  bit  KEY,    =  1 0000000  00000000 
00000000  00000000  00000000  00000000  00000000  00000000  00000000 
00000000.  The  equivalent  of  this  value  in  hexadecimal  notation  is  80  00  00  00  00 
00  00  00  00  00. 
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b.  Initialize  the  64  bit  initialization  vector  IV  to  the  value  of  0,  i.e.,  IVhe,=00  00  00 
00  00  00  00  00. 

c.  Initialize  TEXT  to  the  value  of  0,  i.e.,  TEXThe,=00  00  00  00  00  00  00  00. 

d.  Forward  this  information  to  the  lUT  using  Input  Type  2. 

The  lUT  shall  perform  the  following  for  i  =  1  to  n:  (NOTE:  n  equals  the  number  of 
significant  bits  in  a  DES  or  Skipjack  key.) 

a.  Assign  the  value  of  IV  to  IB;,  i.e.,  (IBlj,  132;,...,  IB64i)  =  (IVl,  IV2,...,  IV64). 

b.  Process  IB;  through  the  DES  or  Skipjack  algorithm  in  the  encrypt  state,  resulting 
in  output  block  OB^. 

c.  Calculate  RESULT^  by  exclusive-ORing  OBj  with  TEXT,  i.e.,(RESULTli, 
RESULT2i,...,  RESULT64i)  =  (OBljeTEXTl, 
OB2,©TEXT2,...,OB64ieTEXT64). 

d.  Forward  the  current  value  of  the  loop  number  i,  KEY;,  IV,  TEXT  and  RESULTj  to 
the  MOVS,  as  specified  in  Output  Type  2. 

e.  Set  KEYj+,  equal  to  the  vector  consisting  of  "0"  in  every  significant  bit  position 
except  for  a  single  "1"  bit  in  position  i+1. 

NOTE:  The  above  processing  shall  continue  until  every  significant  basis  vector  has  been 
represented  by  the  KEY  parameter.  The  output  trom  the  lUT  for  this  test  shall  consist  of 
56  output  strings  if  the  lUT  implements  the  DES  algorithm  and  80  output  strings  if  the 
lUT  implements  the  Skipjack  algorithm.  Each  output  string  shall  consist  of  information 
included  in  Output  Type  2. 

The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received  results 
to  known  values  found  in  Appendix  B,  Table  2  for  DES  and  Table  6  for  Skipjack. 
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5.4.1.4  The  Permutation  Operation  Known  Answer  Test  -  OFB  Mode 

NOTE:  This  test  shall  only  be  performed  for  the  DES  algorithm. 


MOVS:  Initialize  KEY;  (where  i=l-32)  =  32  KEY  values  in  Appendix  B,  Table  3 

IV  =  0000000000000000 
TEXT  =  0000000000000000 
Send  TEXT,  IV,  KEY,,  BCEY^, KEY32 

lUT:      FOR  i  =  1  to  32 
{ 

IBi  =  IV 

Perform  DES  algorithm  in  encrypt  state,  resulting  in  OBj 

RESULT^  OBi  ®  TEXT 

Send  i,  KEY,,  IV,  TEXT,  RESULT^ 

KEYi+i  =  Corresponding  KEYi+,  from  MOVS 


MOVS:  Compare  results  with  known  answers 


Figure  5.35  The  Permutation  Operation  Known  Answer  Test  -  OFB  Mode 


Figure  5.35  illustrates  the  Permutation  Operation  Known  Answer  test  for  the  OFB  mode. 
1.       The  MOVS  shall: 

a.  Initialize  the  KEY  parameter  with  the  32  constant  KEY  values  from  Appendix  B, 
Table  3. 

b.  Initialize  IV  to  the  value  ofO,  i.e.,  IVhe,=00  00  00  00  00  00  00  00. 

c.  Initialize  TEXT  to  the  value  of  0,  i.e.,  TEXThex=00  00  00  00  00  00  00  00. 

d.  Forward  this  information  to  the  lUT  using  Input  Type  8. 


2.       The  lUT  shall  perform  the  following  for  i  =  1  to  32: 

a.  Assign  the  value  of  IV  to  the  input  block  IBj,  i.e.,  (IBlj,  IB2i,...,  IB64i)  =  (IVl, 
IV2,...,  IV64). 

b.  Process  IBj  through  the  DES  algorithm  in  the  encrypt  state,  resulting  in  the  output 
block  OBj. 
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c.  Calculate  RESULT,  by  exclusive-ORing  OBj  with  TEXT,  i.e., (RESULT  1;, 
RESULT2i,...,  RESULT64i)  =  (OBl.eTEXTl,  OB2ieTEXT2, 
OB64ieTEXT64). 

d.  Forward  the  current  values  of  the  loop  number  i,  KEYj,  IV,  TEXT  and  RESULT|. 

e.  Set  KEYj+i  equal  to  the  corresponding  KEY  supplied  from  the  MO  VS. 

NOTE:  The  above  processing  shall  continue  until  all  32  KEY  values,  as  specified  in 
Input  Type  8,  are  processed.  The  output  from  the  lUT  for  this  test  shall  consist  of  32 
output  strings.  Each  output  string  shall  consist  of  information  included  in  Output  Type  2. 

3.       The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received  results 
to  known  values  found  in  Appendix  B,  Table  3. 
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5.4.1.5  The  Substitution  Table  Known  Answer  Test  -  OFB  Mode 

NOTE:  This  test  shall  only  be  performed  for  the  DES  algorithm. 


MOVS:  Initialize  KEY,  (where  i=l-19)  =  19  KEY  values  in  Appendix  B,  Table  4 

IV;  (where  i=l-19)  =  19  corresponding  PT  values  in  Appendix  B,  Table  4 
TEXT  =  0000000000000000 
Send  TEXT,  19,  KEY,,  IV„  KEY^,  IV2,...,KEY,5,  IV„ 


JUT:      FORi  =  ltol9 
{ 

IB-IVi 

Perform  DES  algorithm  in  encrypt  state,  resulting  in  OBj 

RESULTi=  OB;  ©  TEXT 

Send  i,  KEY,,  IV;,  TEXT,  RESULT; 

KEYj,,  =  KEYhi  from  MOVS 

IV,+,  =  corresponding  DATA,^.  from  MOVS 


MOVS:  Compare  results  from  each  loop  with  known  answers 


Figure  5.36  The  Substitution  Table  Known  Answer  Test  -  OFB  Mode 


As  summarized  in  Figure  5.36,  the  Substitution  Table  Known  Answer  test  for  the  OFB  mode 
shall  be  performed  as  follows: 

r.        The  MOVS  shall: 

a. .  Initialize  the  KEY-INPUT  pairs  with  the  19  constant  KEY-IV  values  from 
Appendix  B,  Table  4.  The  PT/TEXT/IV  values  from  the  table  shall  then  be 
assigned  to  the  values  of  the  initialization  vector  IVs. 

k       Initialize  TEXT  to  the  value  of  0,  i.e.,  TEXThex=00  00  00  00  00  00  00  00. 

c.        Forward  this  information  to  the  lUT  using  Input  Type  11. 

2.       The  lUT  shall  perform  the  following  for  i  =  1  to  19: 

a..       Assign  the  value  oflVj  to  the  input  block  IB,,  i.e.,  (IB li,IB2i,...,IB64i)  =  (IVli, 
IV2,...,  IV64i). 
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b.  Process  IBj  through  the  DES  algorithm  in  the  encrypt  state,  resulting  in  the  output 
block  OB;. 

c.  Calculate  RESULTi  by  exclusive-ORing  OBj,  with  TEXT,  i.e.,(R£SULTlj, 
RESULT2i,...,  RESULT64i)  =  (OBli®TEXTl,  OB2ieTEXT2, 
OB64,®TEXT64). 

d.  Forward  the  current  value  of  the  loop  number  i,  KEYj,  IV,,  TEXT  and  RESULTj. 

e.  Set  KEYj+i  equal  to  the  corresponding  KEY  value  supplied  by  the  MOVS. 

f.  Set  rVj+i  equal  to  the  corresponding  PT/TEXT/TV  value  supplied  by  the  MOVS. 

NOTE:  The  above  processing  shall  continue  until  all  19  KEY/INPUT  pairs,  as  specified 
in  Input  Type  1 1,  are  processed.  The  output  from  the  lUT  for  this  test  shall  consist  of  19 
output  strings.  Each  output  string  shall  consist  of  information  included  in  Output  Type  2. 

3.       The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received  results 
to  known  values  found  in  Appendix  B,  Table  4. 
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5.4.1.6  The  Modes  Test  -  OFB  Mode 


MOVS:  Initialize 
Send 


KEYo,  IV,  TEXTo 
KEYo,  IV,  TEXTo 


lUT: 


FOR  i  =  0  TO  399 


If(i=0)IBo  =  IV 
Record  i,  KEY,,  TEXTo 
FORj  =  0  TO  9,999 
{ 

Perform  algorithm  in  encrypt  state,  resulting  in  OBj 
RESULTj  =  OBj  ®  TEXTj 
TEXTj,,  =  IBj 
IBj>,  =  OBj 

} 

Record  IBo,  RESULT; 

Send  i,  KEY;,  IBg,  TEXTo,  RESULTj 

KEYh,  =  KEYj  ©  last  n  bits  of  RESULT,  where  «=64  if  DES,  n=80  if  Skipjack 
TEXTo  =  TEXTo  ©  IB9999 


MOVS:  Check  lUT's  output  for  correctness 
Figure  5.37  The  Modes  Test  -  OFB  Mode 

As  summarized  in  Figure  5.37,  the  Modes  test  for  the  OFB  mode  shall  be  performed  as  follows: 

1.  The  MOVS  shall: 

a.  Initialize  KEY,  W  and  TEXT.  The  TEXT  and  IV  shall  consist  of  64  bits,  while 
the  KEY  length  is  dependent  on  the  algorithm  implemented. 

b.  Forward  these  values  to  the  lUT  using  Input  Type  2. 

2.  The  lUT  shall  perform  the  following,  for  i=0  through  399: 

a.       If  i=0  (if  this  is  the  first  time  through  the  loop),  set  the  input  block  IBq  equal  to  the 


IBo  =  OB, 


•9999 
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value  of  IV,  i.e.,  (IBlo,  IB2o,...,IB64o)  =  (IVl,  IV2,...,IV64). 

Record  the  current  value  of  the  outer  loop  number  i,  KEYj,  and  TEXTo. 

For  j=0  through  9999,  perform  the  following: 

i.  Process  IBj  through  the  DES  or  Skipjack  algorithm  in  the  encrypt  state, 
resulting  in  the  output  block  OBj. 

ii.  Calculate  RESULTj  by  exclusive-ORing  OBj  with  the  value  of  TEXT.,  i.e., 
(RESULTlj,  RESULT2j,...,  RESULT64j)  =  (OBlj©TEXTl:, 
OB2jeTEXT2j, ...  OB64j®TEXT64j). 

iii.  Prepare  for  loop  j+ 1  by  doing  the  following: 

-  Assign  the  current  value  of  IBj  to  TEXTj^,,  i.e.,  (TEXTlj^,,  TEXT2j^„  ... 
TEXT64j„)  =  (IBlj,  IB2j, IB64j). 

-  Assign  the  value  of  the  current  OBj  to  IBj+„  i.e.,(IBlj+„  IB2j+„...,IB64j^,) 
=  (OBlj,  OB2j,...,OB64j). 

Record  the  IBo  and  RESULTj . 

Output  all  recorded  values  for  this  loop  using  Output  Type  2. 

In  preparation  of  the  next  outer  loop: 

i.       Assign  a  new  value  to  KEY  in  preparation  for  the  next  outer  loop.  The 
new  KEY  shall  be  calculated  by  exclusive-ORing  the  current  KEY  with 
the  current  RESULT.  For  lUTs  of  the  DES  algorithm,  this  shall  equate  to 
(KEYlj,,,  KEY2i,„  ...  KEY64i„)  =  (KEY IjeRESULTl 9999, 
KEY2ieRESULT29999, ...  KEY64,eRESULT649999).  For  lUTs  of  the 
Skipjack  algorithm,  the  RESULT  shall  be  expanded  in  length  to  80  bits 
(the  length  of  a  Skipjack  key)  before  the  new  KEY  can  be  formed.  This 
expansion  shall  be  accomplished  by  concatenating  the  16  rightmost  bits  of 
the  previous  RESULT  (RESULTgggg)  with  the  64  bits  of  the  current 
RESULT  (RESULT9999).  This  value  shall  then  be  exclusive-ORed  with 
the  current  KEY  to  form  the  new  KEY,  i.e.,  (KEYlj^,,  KEY2j+„  ... 
KEY80i^,)  =  (KEYlieRESULT499998,  KEY2ieRESULT509998, ... 
KEY16i©RESULT649998,  KEY  17i®RESULTl 9999,  KEY18i®RESULT29999, 
...  KEY80i©RESULT649999). 

ii.      Assign  a  new  value  to  TEXTq.  The  TEXTq  shall  be  assigned  the  value  of 
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the  old  TEXTo,  exclusive-ORed  with  IB9999,  i  e.,  (TEXTIq,  TEXT2o,  ... 
TEXT64o)  =  (TEXTlo®IBl9999,  TEXT2oeIB29999, TEXT64o®IB649999). 
(Note  that  the  new  TEXT  shall  be  denoted  as  TEXTq  because  this  value  is 
used  for  the  first  pass  through  the  inner  loop  when  j=0.) 

iii.      Assign  a  new  value  to  IBq.  The  IBq  shall  be  assigned  the  current  value  of 
OB9999,  i.e.,  (IBlo,  IB2o,...,IB64o)  =  (OBI,,,,,  OB29999,...,OB649999).  (Note 
that  the  new  IB  shall  be  denoted  as  IB^  because  this  value  is  used  for  the 
first  pass  through  the  inner  loop  when  j=0.) 

NOTE:  The  output  fi-om  the  lUT  for  this  test  shall  consist  of  400  output  strings.  Each 
output  string  shall  consist  of  information  included  in  Output  Type  2. 

The  MOVS  shall  check  the  lUT's  output  for  correctness  by  comparing  the  received  results 
to  known  values. 
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6.  DESIGN  OF  THE  MODES  OF  OPERATION  VALIDATION  SYSTEM  (MOVS)  FOR 

DES  AND  SKIPJACK 


6.1  Design  Philosophy 

NIST  validation  programs  are  conformance  tests  rather  than  measures  of  product  security. 
NIST  validation  tests  are  designed  to  assist  in  the  detection  of  accidental  implementation  errors, 
and  are  not  designed  to  detect  intentional  attempts  to  misrepresent  conformance.  Thus, 
validation  by  NIST  should  not  be  interpreted  as  an  evaluation  or  endorsement  of  overall 
product  security. 

An  lUT  is  considered  validated  for  a  test  option  when  it  passes  the  appropriate  set  of  MOVS 
tests.  MOVS  testing  is  via  statistical  sampling,  so  validation  of  an  option  does  not  guarantee 
100%  conformance  with  the  option  in  the  standards. 

The  intent  of  the  validation  process  is  to  provide  a  rigorous  conformance  process  that  can  be 
performed  at  modest  cost.  NIST  does  not  try  to  prevent  a  dishonest  vendor  from  purchasing  a 
validated  implementation  and  using  this  implementation  as  the  vendor's  lUT.  Customers  who 
wish  to  protect  themselves  against  a  dishonest  vendor  could  require  that  the  vendor  revalidate 
the  lUT  in  the  customer's  presence. 

6.2  Operation  of  the  MOVS 

MOVS  testing  is  done  through  the  NIST  Cryptographic  Module  Validation  (CMV)  Program. 
The  CMV  Program  uses  laboratories  accredited  by  the  NIST  National  Voluntary  Laboratory 
Accreditation  Program  (NVLAP)  to  perform  conformance  tests  to  cryptographic-related  FIPS. 
A  vendor  contracts  with  a  Cryptographic  Module  Testing  (CMT)  Laboratory  accredited  by 
NVLAP.  The  CMT  laboratory  conducts  the  MOVS  tests  on  the  lUT.  The  CMT  laboratory 
submits  the  resuhs  to  NIST  for  validation.  If  the  lUT  has  successfully  completed  the  tests, 
NIST  issues  a  validation  certificate  for  the  lUT  to  the  vendor.  A  list  of  CMT  laboratories  is 
available  at  http://csrc.nist.gov/cryptval. 
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Appendix  A    Sample  Round  Outputs  for  the  DES 


INPUT 
KEY  =  10316E028C8F3B4A 
PLAINTEXT  =  0000000000000000 

L 

R 

00000000 

47092B5B 

47092B5B 

53F372AF 

53F372AF 

9F1D158B 

9F1D158B 

8109CBEE 

8109CBEE 

60448698 

60448698 

29EBB1A4 

29EBB1A4 

620CC3A3 

620CC3A3 

DEEB3D8A 

DEEB3D8A 

A1A0354D 

A1A0354D 

9F0303DC 

9F0303DC 

FD898EE8 

FD898EE8 

2D1AE1DD 

2D1AE1DD 

CBC829FA 

CBC829FA 

B367DEC9 

B367DEC9 

3F6C3EFD 

3F6C3EFD 

5A1E5228 

OUTPUT 

82DCBAFBDEAB6602 
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Appendix  B    Tables  of  Values  for  the  Known  Answer  Tests 


Table  1 

Resulting  Ciphertext  from  the  Variable  Plaintext  Known  Answer  Test  for  DES 

(NOTE:  KEY  =  01  01  01  01  01  01  01  01  (odd parity  set)) 


ROUND 

PLAINTEXT  or  IV 
(depending  on  mode) 

CIPHERTEXT 

0 

80  00  00  00  00  00  00  00 

95  F8  A5  E5  DD31  D9  00 

1 

40  00  00  00  00  00  00  00 

DD  7F12  1CA5  01  56  19 

2 

20  00  00  0000  00  00  00 

2E86  53  104F38  34  EA 

3 

10  00  00  00  00  00  00  00 

4BD3  88  FF6CD8  1D4F 

4 

08  00  00  00  00  00  00  00 

20B9E7  67  B2  FB  14  56 

5 

04  00  00  00  00  00  00  00 

55  57  93  80  D7  71  38  EF 

6 

02  00  00  00  00  00  00  00 

6C  C5  DEFAAF04  512F 

7 

01  00  00  00  0000  00  00 

OD  9F  27  9B  A5  D8  72  60 

8 

00  80  00  00  00  00  00  00 

D9  03  IB  02  71  BD  5A0A 

9 

00  40  00  00  00  00  00  00 

42  42  50  B3  7C  3D  D9  51 

10 

00  20  00  00  00  00  00  00 

B8  061B7ECD9A21  E5 

11 

00  10  00  00  00  00  00  00 

Fl  5D0F28  6B  65  BD  28 

12 

00  08  00  00  00  00  00  00 

ADDOCC  8D6E5DEB 
Al 
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ROUND 

PLAINTEXT  or  IV 
(depending  on  mode) 

CIPHERTEXT 

13 

00  04  00  00  00  00  00  00 

E6  D5  F8  27  52  AD  63  Dl 

14 

00  02  00  00  00  00  00  00 

EC  BF  E3  BD  3F  59  1A5E 

15 

00  01  00  00  00  00  00  00 

F3  56  83  43  79  Dl  65  CD 

16 

00  00  80  00  00  00  00  00 

2B  9F  98  2F  20  03  7F  A9 

17 

00  00  40  00  00  00  00  00 

88  9D  EO  68  Al  6F  OB  E6 

18 

00  00  20  00  00  00  00  00 

El  9E  27  5D  84  6A  12  98 

19 

00  00  10  00  00  00  00  00 

32  9A  8E  D5  23  D7  lA  EC 

20 

00  00  08  00  00  00  00  00 

E7  FC  E2  25  57  D2  3C  97 

21 

00  00  04  00  00  00  00  00 

12  A9  F5  81  7F  F2  D6  5D 

22 

00  00  02  00  00  00  00  00 

A4  84  C3  AD  38  DC  9C  19 

23 

00  00  01  00  00  00  00  00 

FB  EO  OA  8A  IE  F8  AD  72 

24 

00  00  00  80  00  00  00  00 

75  OD  07  94  07  52  13  63 

25 

00  00  00  40  00  00  00  00 

64  FE  ED  9C  72  4C  2F  AF 

26 

00  00  00  20  00  00  00  00 

FO  2B  26  3B  32  8E  2B  60 

27 

00  00  00  10  00  00  00  00 

9D  64  55  5A  9A  10  B8  52 

28 

00  00  00  08  00  00  00  00 

Dl  06  FF  OB  ED  52  55  D7 

29 

00  00  00  04  00  00  00  00 

El  65  2C  6B  13  8C64A5 

30 

00  00  00  02  00  00  00  00 

E4  28  58  1 1  86  EC  8F  46 
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ROUND 

PLAINTEXT  or  IV 
(depending  on  mode) 

CIPHERTEXT 

31 

00  00  00  01  00  00  00  00 

AEB5  F5  EDE2  2D  1A36 

32 

00  00  00  00  80  00  00  00 

E9  43  D7  56  8A  EC  OC  5C 

33 

00  00  00  00  40  00  00  00 

DF  98  C8  27  6F  54  BO  4B 

34 

00  00  00  00  20  00  00  00 

Bl  60  E4  68  OF  6C  69  6F 

35 

00  00  00  00  10  00  00  00 

FA  07  52  BO  7D  9C  4A  B8 

36 

00  00  00  00  08  00  00  00 

CA  3A  2B  03  6D  BC  85  02 

37 

00  00  00  00  04  00  00  00 

5E  09  05  51  7B  B5  9B  CF 

38 

00  00  00  00  02  00  00  00 

81  4EEB3B91  D9  07  26 

39 

00  00  00  00  01  00  00  00 

4D49  DB  15  32  91  9C  9F 

40 

00  00  00  00  00  80  00  00 

25EB5F  C3  F8  CF  06  21 

41 

00  00  00  00  00  40  00  00 

AB  6A  20  CO  62  OD  IC  6F 

42 

00  00  00  00  00  20  00  00 

79  E9  OD  BC  98  F9  2C  CA 

43 

00  00  00  00  00  10  00  00 

86  6E  CE  DD  80  72  BB  OE 

44 

00  00  00  00  00  08  00  00 

8B  54  53  6F  2F  3E  64  A8 

45 

00  00  00  00  00  04  00  00 

EA51  D3  97  55  95  B8  6B 

46 

00  00  00  00  00  02  00  00 

CA  FF  C6  AC  45  42  DE31 

47 

00  00  00  00  00  01  00  00 

8D  D4  5A  2D  DF  90  79  6C 

48 

00  00  00  00  00  00  80  00 

10  29  D5  5E  88  OE  C2  DO 
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ROUND 

PLAINTEXT  or  IV 
(depending  on  mode) 

CIPHERTEXT 

49 

00  00  00  00  00  00  40  00 

5D  86  CB  23  63  9D  BE  A9 

50 

00  00  00  00  00  00  20  00 

ID  IC  A8  53  AE  7C  OC  5F 

51 

00  00  00  00  00  00  10  00 

CE  33  23  29  24  8F  32  28 

52 

00  00  00  00  00  00  08  00 

84  05  Dl  AB  E2  4F  B9  42 

53 

00  00  00  00  00  00  04  00 

E6  43  D7  80  90  CA  42  07 

54 

00  00  00  00  00  00  02  00 

48  22  IB  99  37  74  8A  23 

55 

00  00  00  00  00  00  01  00 

DD  7C  OB  BD  61  FA  FD  54 

56 

00  00  00  00  00  00  00  80 

2F  BC  29  1 A  57  OD  B5  C4 

57 

00  00  00  00  00  00  00  40 

EO  7C  30  D7  E4  E2  6E  12 

58 

00  00  00  00  00  00  00  20 

09  53  E2  25  8E  8E  90  Al 

59 

00  00  00  00  00  00  00  10 

5B  71  IB  C4  CE  EB  F2  EE 

60 

00  00  00  00  00  00  00  08 

CC  08  3F  IE  6D  9E  85  F6 

61 

00  00  00  00  00  00  00  04 

D2  FD  88  67  D5  OD  2D  FE 

62 

00  00  00  00  00  00  00  02 

06  E7  EA  22  CE  92  70  8F 

63 

00  00  00  00  00  00  00  01 

16  6B40B4  4ABA4BD6 
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I 

Table  2 

Resulting  Ciphertext  from  the  Variable  Key  Known  Answer  Test  for  DES 
(NOTE:  Plaintext/text  =  00  00  00  00  00  00  00  00  and,  where  applicable,  IV  =  00  00  00  00  00  00  00  00) 


ROUND 

KEY 

CIPHERTEXT 

0 

80  01  01  01  01  01  01  01 

95  A8  D7  28  13DAA9  4D 

1 

40  01  01  01  01  01  01  01 

OEEC  14  87  DD  8C26D5 

2 

20  01  01  01  01  01  01  01 

7AD1  6FFB  79  C4  59  26 

3 

10  01010101  01  0101 

D3  74  62  94  CA6A6C  F3 

4 

08  0101  010101  01  01 

80  9F  5F  87  3C  IF  D7  61 

5 

04  01  01  01  01  01  01  01 

CO  2FAFFEC9  89  Dl  FC 

6 

02  01  01  0101010101 

46  15  AA  ID  33  E7  2F  10 

7 

01  8001010101  01  01 

20  55  12  33  50  CO  08  58 

8 

01  40  01  01  01  01  01  01 

DF  3B  99  D6  57  73  97  C8 

9 

01  20  01  01  01  01  01  01 

31  FE  17  36  9B  52  88  C9 

10 

01  10  01  01  010101  01 

DFDD3C  C64DAE  16  42 

11 

0108  01  01  01  01  01  01 

17  8C  83  CE  2B  39  9D  94 

12 

01  04  01010101  01  01 

50F6  36  32  4A9B7F80 

13 

01  02  01  01  0101  01  01 

A8  46  8E  E3  BC  18  FO  6D 
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1\±>Y 

CIPHERTEXT 

1  A 

m  Ai  on  Al  A1  Al  A1  A1 

Ul  Ul  oU  Ul  Ul  Ul  Ul  Ul 

Al  DC  9E  92  FD  3C  DE  92 

1 J 

A1  01  /1AA1  Al  Al  Al  Al 

Ul  ul  4UU1  Ul  Ul  Ul  Ul 

A    /~^f\  r\T7  TA             A*^    1  Ci'~t 

CA  CO  9F  79  7D  03  12  87 

Al  Al  OA  Al  Al  Al  Al  Al 

Ul  Ul  zUUl  Ul  Ul  Ul  Ul 

90  BA  68  OB  22  AE  B5  25 

Al   Al    1AA1   Al  Al   Al  Al 

Ul  Ul  iUUl  Ul  Ul  Ul  Ul 

CE  7A  24  F3  50  E2  80  B6 

1  0 

lo 

Al   Al   AO  Al  Al   Al   Al  Al 

Ul  Ul  Uo  Ul  Ul  Ul  Ul  Ul 

OO              TT'  A  A      A  A    1    A     AT^  Ci^ 

88  2B  FF  OA  AO  lA  OB  87 

1  C\ 

ly 

Al   Al   Ayl  Al   Al   Al   Al  Al 

Ul  Ul  U4  01  010101  01 

C    /"  t    A*^    A  O  A*^    AC    1  1  ^~^''\ 

25  61  02  88  92  45  11  C2 

OA 

Al   Al   AO  Al   Al   Al   Al  Al 
Ul  Ul  U/Ul  Ul  Ul  Ul  Ul 

C7  15  16  C2  9C  75  Dl  70 

O  1 

Zi 

Al   Al   Al   OA  Al   Al  Al  Al 

010101  oO  01  01  01  01 

51  99  C2  9A  52  C9  FO  59 

22 

01  01  01  40  01  01  01  01 

C2  2F  OA  29  4A  71  F2  9F 

23 

01  01  01  20  01  01  01  01 

EE  37  14  83  71  4C  02  EA 

24 

f\1    f\'\    f\t     t  f\  f\t    f\\    /\1  At 

01  01  01  10  01  01  01  01 

A8  IF  BD  44  8F  9E  52  2F 

25 

A1    r\i    i\t                     Al    Al  Al 

01  01  01  08  01  01  01  01 

4F  64  4C  92  El  92  DF  ED 

26 

Al    Al    Al    A/1    At    Ai    Al  Al 

01  01  01  04  01  01  01  01 

lA     T^A    AA     /'  /'     A/'  T>T^  AA     A  1~* 

lA  FA  9 A  66  A6  DF  92  AE 

27 

A  i     A  1     A  1     A'^    Al     Al     Al  Al 

01  01  01  02  01  01  01  01 

B3  CI  CC  71  5C  B8  79  D8 

28 

Al     Al     Al     Al     AAA1     Al  Al 

01  01  01  01  80  01  01  01 

1  A  TVA  ^A               A  A     T~\  A  T\  T~X  OT^ 

19  DO  32  E6  4A  BO  BD  8B 

29 

Al    Al    Al    Al     /IAA1    Al  Al 

01  01  01  01  40  01  01  01 

T""  A      A  ^     AT  7~\/~i  O'l  -^A  T*\/~< 

3C  FA  A7  A7  DC  87  20  DC 

30 

01  01  01  01  20  01  01  01 

B7  26  5F  7F  44  7A  C6  F3 

31 

01  01  01  01  10  01  01  01 

9D  B7  3B  3C0D  16  3F  54 
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ROUND 

KEY 

CIPHERTEXT 

32 

01  01  01  01  08  01  01  01 

81  81  B6  5B  ABF4A9  75 

33 

01  01  01  01  0401  01  01 

93  C9  B6  40  42  EA  A2  40 

34 

01  01  01  01  02  01  01  01 

55  70  53  08  29  70  55  92 

35 

01  01  01  01  01  80  01  01 

86  38  80  9E  87  87  87  AO 

36 

01  01  01  01  01  4001  01 

41  B9  A7  9A  F7  9A  C2  08 

37 

01  01  01  01  01  2001  01 

7A  9B  E4  2F  20  09  A8  92 

38 

01  01  01  01  01  1001  01 

29  03  8D  56  BA  6D  27  45 

39 

01  01  01  01  01  08  01  01 

54  95  C6ABF1  E5  DF51 

40 

01  01  01  01  01  0401  01 

AE  13  DB  D5  61  48  89  33 

41 

01  01  01  01  01  02  01  01 

02  4D  IF  FA  89  04  E3  89 

42 

01  01  01  01  01  01  80  01 

Dl  39  97  12F9  9BF0  2E 

43 

01  01  01  01  01  01  40  01 

14  CI  D7C1  CF  FE  C7  9E 

44 

01  01  01  01  01  01  20  01 

ID  E5  27  9D  AE  3B  ED  6F 

45 

01  01  01  01  01  01  1001 

E9  41  A3  3F  85  50  13  03 

46 

01  01  01  01  01  01  08  01 

DA  99  DB  BC  9A  03  F3  79 

47 

01  01  01  01  01  01  04  01 

B7  FC  92  F9  1D8E  92  E9 

48 

01  01  01  01  01  01  02  01 

AE  8E  5C  AA  3C  AO  4E  85 

49 

01  01  01  01  01  01  01  80 

9C  C6  2D  F4  3B  6E  ED  74 
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ROUND 

KEY 

aPHERTEXT 

50 

01  01  01  01  01  01  01  40 

D8  63  DB  B5  C5  9A  91  AO 

51 

01  01  01  01  01  01  01  20 

Al  AB  21  90  54  5B  91  D7 

52 

01  01  01  01  01  01  01  10 

08  75  04  1E64C5  70  F7 

J  J 

ni  ni  ni  ni  ni  ni  ni  or 

Ul  Ul  Ul  Ul  VJl  Ul  v/1  uo 

4^  7R  TVP  FiP  PI 
jy        Lo  DC  DE  r  1  K^Ky 

54 

01  010101  01  01  0104 

FCDB32  91  DE21  FOCO 

55 

01  01  01  01  01  01  01  02 

86  9E  FD  7F  9F26  5A  09 
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Table  3 


Values  To  Be  Used  for  the  Permutation  Operation  Known  Answer  Test 

(NOTE:  Plaintext/text  =  00  00  00  00  00  00  00  00  for  each  round  and, 
where  applicable,  IV  =  00  00  00  00  00  00  00  00) 


ROUND 

KEY 

CT/RESULT 

0 

10  46  Q1  '^4          ni  ^1 
*tu  yv  */*T  oy  yo  v/i  ji 

88  F)S  SF  <n4      AC  07  R4 

oo  xjj  jCi      r  J       y  1  Dt- 

1 
1 

1 0  07  1 0  '^4  RO  QR  80  90 
LKj  yj  1  i\j  jt  oy  yo  ov  ZrV 

or"  C\C  C(\  CsC  8'?  F  A  48  FFJ 

z 

1  n  07  1 0  ^4  r's  OS  oi  9o 

R'^  RP  8F  F'i  A/^  'si  01  8^ 
oj  131^  oli  cj  /VO  J  /  Ul  oj 

1 

J 

1  0  46  1 0  "^4  8Q  QS  80  90 
lu  to  lU  JH-  oy  yQ  oU  zu 

TiV  79  ^Fi  PA  FiO  AV  A 9  FO 

Ur  /Z  jlJ  K^JrS.  Lly  'txl  /\Z  tZ/y 

A 

10  8^  01  1^  10  1001  01 

iu  60  yi  ij  ly  lyui  ui 

FA  ^9  R<;  '^R       OR  F8  RO 
JiO  JZ  DJ        j J  Ul3  xlo  xSU 

c 

D 

1  (\  QA  Q1  1<C  lO^RAI  ni 

lu  oo  yi  13  ly  JO  ui  ui 

AF  ^9  71  90  Pd  8*;  PR  RO 
/Vr  jZ  / 1  ZU        o  J  K^D  DU 

O 

jl  U/  dU  id  vy  JO  UI  Ul 

HF  A4  PF  ^50  '^F»  RO  9A  F>^ 
Ur  U'f  L/Jd  jy  Jiy  Dy  ZO  Uj 

7 

10  07  RO  1  S  1Q  IQ  01  01 

C9  FO  OF  FC  74  07  90  67 

8 

31  07  91  54  98  08  01  01 

7C  FD  82  A5  93  25  2B  4E 

9 

31  07  91  94  98  08  01  01 

CB  49  A2  F9  E9  13  63  E3 

10 

10  07  91  15  B9  08  01  40 

00  B5  88  BE  70  D2  3F  56 

11 

31  07  91  15  98  08  01  40 

40  6A  9A  6A  B4  33  99  AE 

12 

10  07  DO  15  89  98  0101 

6CB7  73  61  1DCA9ADA 
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ROUND 

KEY 

CT/RESULT 

13 

91  07  91  15  89  98  01  01 

67  FD  21  CI  7D  BB  5D  70 

14 

9107  DO  15  89  19  01  01 

95  92  CB  41  10  43  07  87 

15 

10  07  DO  15  98  98  01  20 

A6  B7FF68  A3  18DDD3 

16 

10  07  94  04  98  19  01  01 

4D  10  21  96  C9  14CA16 

17 

01  07  91  04  91  19  04  01 

2D  FA9F45  73  59  49  65 

18 

01  07  91  04  91  19  01  01 

B4  66  04  81  6C  OE  07  74 

19 

01  07  94  04  91  19  04  01 

6E  7E  62  21  A4F3  4E87 

20 

19  07  92  10  98  lAOlOl 

AA85  E7  46  43  23  31  99 

21 

10  07  91  19  98  19  08  01 

2E  5A  19  DB  4D  19  62  D6 

22 

10  07  91  19  98  1A08  01 

23  A8  66  A8  09  D3  08  94 

23 

10  07  92  10  98  19  01  01 

D8  12D9  61  FO  17  D3  20 

24 

10  07  91  15  98  19  01  OB 

05  56  05  81  6E58  60  8F 

25 

10  04  80  15  98  19  01  01 

ABD8  8E  8B  IB  77  16  Fl 

26 

10  04  80  15  98  19  01  02 

53  7A  C9  5BE6  9DA1  El 

27 

10  04  80  15  98  19  01  08 

AE  DO  F6  AE  3C  25  CD  D8 

28 

10  02  91  15  98  10  01  04 

B3  E3  5A  5E  E5  3E  7B  8D 

29 

10  02  91  15  98  19  01  04 

61  C7  9C71  92  1A2EF8 

134 


ROUND 

KEY 

CT/RESULT 

30 

10  02  91  15  98  10  02  01 

E2  F5  72  8F  09  95  01  3C 

31 

10  02  91  16  98  10  01  01 

IAEA  C3  9A61  FO  A4  64 
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Table  4 

Values  To  Be  Used  for  the  Substitution  Table  Known  Answer  Test 


KEY 

PT/TEXT/rV 
(depending  on  mode) 

\     r          "  _--l-__Z— _ 

CT/RESULT 

U 

7r  A 1  1 0  45  4 A  1 A  6F  57 

ni  A 1  Tv;  nn    77  ao 

\J1        UO  UV  jy  /  1  0 1 

fJQ  fiC  <;IJ  AT^  OA  QD 

Oy  Ur  JD  UU  VA  ZO  yi  yo 

1 

01  31  D9  61  9D  CI  37  6E 

5C  D5  4C  A8  3D  EF  57  DA 

7A  38  9D  10  35  4B  D2  71 

2 

07  Al  13  3E  4A  OB  26  86 

02  48D4  38  06  F6  71  72 

86  8EBB51  CA  B4  59  9A 

3 

38  49  67  4C  26  02  3 1  9E 

51  45  4B  58  2D  DF  44  OA 

71  78  87  6E01  Fl  9B  2A 

4 

04  B9  15  BA  43  FE  B5  B6 

42  FD  44  30  59  57  7F  A2 

AF  37  FB  42  IF  8C  40  95 

5 

01  13  B9  70FD34F2CE 

05  9B  5E  08  51  CF  14  3A 

86  A5  60F10EC6  D8  5B 

6 

01  70  Fl  75  46  8F  B5  E6 

07  56D8E0  7747  61  D2 

OC  D3  DA  02  00  21  DC  09 

7 

43  29  7F  AD  38  E3  73  FE 

76  25  14  B8  29  BF  48  6A 

EA  67  6B  2C  B7  DB  2B  7A 

8 

07  A7  13  70  45  DA  2A  16 

3B  DD  U  90  49  37  28  02 

DFD6  4A81  5CAF  lAOF 

9 

04  68  91  04  C2  FD  3B  2F 

26  95  5F  68  35  AF  60  9A 

5C51  3C  9C48  86  CO  88 

10 

37  DO  6B  B5  16  CB  75  46 

164D5E40  4F27  52  32 

0A2AEEAE3FF4AB77 

1 1 
1 1 

Ir  Uo  ZO  VU  1/V  L-Z  JC 

/;r  as  ftp  ia  7S  QP  r'A 

VtV  IR  T7n  IF  Sri  FA  S7  SA 

12 

58  40  23  64  lA  BA  61  76 

00  4BD6EF09  17  60  62 

88  BF  OD  B6  D7  OD  EE  56 

13 

02  58  16  16  46  29  BO  07 

48  OD  39  00  6E  E7  62  F2 

Al  F9  91  55  41  02  OB  56 

14 

49  79  3E  BC  79  B3  25  8F 

43  75  40  C8  69  8F  3C  FA 

6F  BF  IC  AF  CF  FD  05  56 

15 

4F  BO  5E  15  15  AB  73  A7 

07  2D  43  AO  77  07  52  92 

2F  22  E4  9B  AB  7C  Al  AC 

16 

49  E9  5D  6D  4C  A2  29  BF 

02  FE  55  77  81  17  Fl  2A 

5A  6B  61  2C  C2  6C  CE  4A 

17 

01  83  10  DC  40  9B  26  D6 

1D9D  5C  50  18F7  28C2 

5F  4C  03  8ED1  2B  2E41 

18 

1C  58  7F  IC  13  92  4F  EF 

30  55  32  28  6D  6F  29  5A 

63  FA  CO  DO  34  D9  F7  93 
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Table  5 

Resulting  Ciphertext  from  the  Variable  Plaintext  Known  Answer  Test  for  Skipjack 
(NOTE:  KEY  =  00  00  00  00  00  00  00  00  00  00) 


ROUND 

PLAINTEXT  or  IV  (depending 
on  mode) 

CIPHERTEXT 

00 

80  00  00  00  00  00  00  00 

9A  90  BC  OB  75  CI  37  03 

01 

40  00  00  00  00  00  00  00 

CC  68  43  59  8C  73  2B  BE 

02 

20  00  00  00  00  00  00  00 

13  72  95  35  09  R3  CI  AC 

03 

10  00  00  00  00  00  00  00 

70  AA  AA  84  1 8  E4  89  30 

04 

08  00  00  00  00  00  00  00 

E4  BO  B4  Al  39  E8  54  6E 

05 

04  00  00  00  00  00  00  00 

70  18  F7  13  66  14  6E  AF 

/V     XUi     /      X  -J    \J\J     X  ~   \Jl—i  X  1.x. 

06 

02  00  00  00  00  00  00  00 

B3  8F  3D  7E  4F  2D  25  3D 

07 

01  00  00  00  00  00  00  00 

D6  4B  A2  06  51  13  D9  IE 

08 

00  80  00  00  00  00  00  00 

F9  5B  92  2F  14  27  A9  F2 

09 

00  40  00  00  00  00  00  00 

6B  64  2F  DE  40  85  85  86 

10 

00  20  00  00  00  00  00  00 

W   t-^\J    \J\J    \J\J    \J\J    \J\J    \j\J  \J\f 

6C  F5  2D  5E  61  69  52  17 

1 1 

00  1 0  00  00  00  00  00  00 

\J\J    1  \J  \J\J  \J\J  \J\J  \J\J  \J\J  \J\J 

BC  OF  6B  CA  62  El  39  A6 

12 

00  08  00  00  00  00  00  00 

\f\j         \J\J        \J\J  v/v  Kfyj  \J\J 

6A  D5  03  DC  2A  BO  BF  E2 

13 

00  04  00  00  00  00  00  00 

yjyj  \J\J 

AF  AD  D7  CA  B6  72  35  16 

14 

00  02  00  00  00  00  00  00 

\J\J  yjjL,  \J\J  \J\J  \J\J  \J\J  \J\J  KfXJ 

00  42  IB  89  5A  F5  CO  OA 

15 

00  01  00  00  00  00  00  00 

CA  DO  45  6C  F8  6C  D5  98 

16 

00  00  80  00  00  00  00  00 

16F41C8F  8A6A5B  79 

17 

00  00  40  00  00  00  00  00 

4C  E7  71  C7  51  BA27  60 

18 

00  00  20  00  00  00  00  00 

72  C9  02  E5  8C  E5  5B  87 

19 

00  00  10  00  00  00  00  00 

6D  37  8C  66  64  DO  01  10 

20 

00  00  08  00  00  00  00  00 

AC  27  B8  5B  OA  75  E8  BA 

21 

00  00  04  00  00  00  00  00 

54  DF  3A  75  5B  00  63  D2 

22 

00  00  02  00  00  00  00  00 

314F4D28  6DB4  90  58 

23 

00  00  01  00  00  00  00  00 

88AE06  66  B2  AO  7846 
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ROUND 

PLAINTEXT  or  IV  rdeoendins 
on  mode) 

24 

00  00  00  80  00  00  00  00 

D8  60  A8  D9  AO  2C  BC  E8 

25 

00  00  00  40  00  00  00  00 

37  CE  5E  EA  53  13  53  5D 

26 

00  00  00  20  00  00  00  00 

73  3A  F9  2D  Al  CI  80  26 

27 

00  00  00  10  00  00  00  00 

34  IC  23  5F  6E  32  98  ID 

28 

00  00  00  08  00  00  00  00 

C6  A6  56  14  47  D9  EO  96 

29 

00  00  00  04  00  00  00  00 

C5  50  66  A8  D8  39  E5  FA 

30 

00  00  00  02  00  00  00  00 

65  86  4B  48  79  11  Al  OC 

31 

00  00  00  01  00  00  00  00 

87  29  07  E2  D3  36  33  2A 

32 

00  00  00  00  80  00  00  00 

AF  03  76  88  E7  A5  24  9C 

33 

00  00  00  00  40  00  00  00 

CI  FC  Dl  B4  DC  C2  AC  BB 

34 

00  00  00  00  20  00  00  00 

40  48  48  80  2D  69  3D  DA 

35 

00  00  00  00  10  00  00  00 

B2  DCCEE3  3B  15  6D  B6 

36 

00  00  00  00  08  00  00  00 

E6  20  F4  2A  7F  A9  01  OB 

37 

00  00  00  00  04  00  00  00 

7C  FO  67  F3  BD  3E  C3  53 

38 

00  00  00  00  02  00  00  00 

06  37  78  IF  lA  34  72  81 

39 

00  00  00  00  01  00  00  00 

47  41  Fl  46  4B  71  70  8E 

40 

00  00  00  00  00  80  00  00 

ED  AD  33  F4  56  F5  14  DF 

41 

00  00  00  00  00  40  00  00 

ED  81  27  48  B7  F5  23  E9 

42 

00  00  00  00  00  20  00  00 

83  8C  9C  C3  83  D4  62  97 

43 

00  00  00  00  00  10  00  00 

FB  2B  CO  FC  C9  2F  9B  24 

44 

00  00  00  00  00  08  00  00 

E5  9AA1  12  2A  65  44  32 

45 

00  00  00  00  00  04  00  00 

D4C8  EF  7E  06  43  12  53 

46 

00  00  00  00  00  02  00  00 

32  ED  63  28  14  C2  A8  56 

47 

00  00  00  00  00  01  00  00 

5D  C2  9F  7D  E9  6E  E5  2C 

48 

00  00  00  00  00  00  80  00 

68  AO  7C  7E  8E  AD  D5  61 

49 

00  00  00  00  00  00  40  00 

B2  70  68  F2  D6  B3  37  E2 

50 

00  00  00  00  00  00  20  00 

lA  F5  IE  9C  29  BF  DC  7B 

51 

00  00  00  00  00  00  10  00 

92  IDBD  9B  1C6B  EAEB 

52 

00  00  00  00  00  00  08  00 

5B6A60  22  35  94  35  D2 
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ROUND 

PLAINTEXT  or  IV  (depending 
on  mode) 

CIPHERTEXT 

53 

00  00  00  00  00  00  04  00 

D7  74  C6  23  74  B2  3B  09 

54 

00  00  00  00  00  00  02  00 

FD  9F  05  27  59  4C  E3  7B 

55 

00  00  00  00  00  00  01  00 

67  86  01  C8  B3  64  A7  94 

56 

00  00  00  00  00  00  00  80 

D5  18  22  8D  5B  OB  E3  D7 

57 

00  00  00  00  00  00  00  40 

A4  5F  EE  6B  DD  IF  73  4A 

58 

00  00  00  00  00  00  00  20 

Dl  BA  95  51  DF  7C  D5  68 

59 

00  00  00  00  00  00  00  10 

AE  A3  3D  09  DC  9D  13  10 

60 

00  00  00  00  00  00  00  08 

96  B4  91  CI  FE  44  3E  9A 

61 

00  00  00  00  00  00  00  04 

DO  EO  14  CF  EE  94  58  9D 

62 

00  00  00  00  00  00  00  02 

OB  9E  44  B5  37  AF  28  79 

63 

00  00  00  00  00  00  00  01 

22  F4  28  E3  EC  49  IE  60 
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Table  6 

Resulting  Ciphertext  from  the  Variable  Key  Known  Answer  Test  for  Skipjack 

((NOTE:  Plaintext/text  =  00  00  00  00  00  00  00  00  and,  where  applicable,  IV  =  00  00  00  00  00  00  00  00) 


ROUND 

KEY 

CIPHERTEXT 

0 

80  00  00  00  00  00  00  00  00  00 

7A00E4  94  41  46  1F5A 

1 

40  00  00  00  00  00  00  00  00  00 

Al  4F  F8  BCDl  BC9EF9 

2 

20  00  00  00  00  00  00  00  00  00 

D7  E8  10  38  5A42  AAEA 

3 

10  00  00  00  00  00  00  00  00  00 

28  FE  2C  33  32  AA  BD  35 

4 

08  00  00  00  00  00  00  00  00  00 

3F  CO  FO  5E  E6  CE  78  8A 

i  5 

04  00  00  00  00  00  00  00  00  00 

44  3D  DO  CB  75  26  F7  4B 

6 

02  00  00  00  00  00  00  00  00  00 

AD  81  9E  67  7C  F9  03  05 

7 

01  00  00  00  00  00  00  00  00  00 

98  91  75  5E  5E  BA  5B  ID 

8 

00  80  00  00  00  00  00  00  00  00 

OE  64  B4  94  63  3B  F2  CB 

9 

00  40  00  00  00  00  00  00  00  00 

63  38  1A08A4  7F  C4  8D 

10 

00  20  00  00  00  00  00  00  00  00 

F4  10  8B  09  9B  04  70  40 

11 

00  10  00  00  00  00  00  00  00  00 

74  02  16  61  4E  DO  E2  5B 

12 

00  08  00  00  00  00  00  00  00  00 

80  00  91  7B  2E  16  B9  2A 

13 

00  04  00  00  00  00  00  00  00  00 

A9  76  9B  62  B3  AO  BE  4E 

14 

00  02  00  00  00  00  00  00  00  00 

42FDB8  72  EA31  41  21 

15 

00  01  00  00  00  00  00  00  00  00 

ID  67  2B  AO  15  6A  B3  9D 

16 

00  00  80  00  00  00  00  00  00  00 

F4  44  41  D7  C7  77  FO  57 

17 

00  00  40  00  00  00  00  00  00  00 

EA  48  7D  DC  36  OD  15  94 

18 

00  00  20  00  00  00  00  00  00  00 

32  4B  OE  78  5F  F2  B9  08 

19 

00  00  10  00  00  00  00  00  00  00 

1AF5  9E  C2  B9  D6  4C  4F 

20 

00  00  08  00  00  00  00  00  00  00 

81  9B  7E  10  2E  76  AO  EE 

21 

00  00  04  00  00  00  00  00  00  00 

OB  OB  FE  OD  4A  37  AA  9E 

22 

00  00  02  00  00  00  00  00  00  00 

12  B4  3E37  60  D3  OD  A6 

23 

00  00  0100  00  00  00  00  00  00 

31  77  25  6C46  15  41  EE 
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KOUJND 

KEY 

CIPHERTEXT 

24 

00  00  00  80  00  00  00  00  00  00 

36  00  EB  92  83  6C  AO  26 

25 

00  00  00  40  00  00  00  00  00  00 

75  A4  35  AD  22  EC  F7  93 

26 

00  00  00  20  00  00  00  00  00  00 

71  90AA99  13  CI  F9  EC 

27 

00  00  00  10  00  00  00  00  00  00 

AB  A7  18  Bl  85  Al  ID  DO 

28 

00  00  00  08  00  00  00  00  00  00 

40  F6  7A  BF  CC  3B  87  3C 

29 

00  00  00  04  00  00  00  00  00  00 

38  AO  A5  8F  BO  97  28  F2 

30 

00  00  00  02  00  00  00  00  00  00 

CA  70  2E  49  BF  6F  A6  45 

31 

00  00  00  01  00  00  00  00  00  00 

45  5D  93  FO  39  EA  08  60 

32 

00  00  00  00  80  00  00  00  00  00 

53  47  64  3F  E8  03  88  3F 

33 

00  00  00  00  40  00  00  00  00  00 

F4  0FF1  DC  BA  2BC1  E5 

34 

00  00  00  00  20  00  00  00  00  00 

57  4A  48  48  36  9D41  2E 

35 

00  00  00  00  10  00  00  00  00  00 

B2  BE  93  6E  36  67  06  36 

36 

00  00  00  00  08  00  00  00  00  00 

5C  88  51  7D27  42E6  19 

37 

00  00  00  00  04  00  00  00  00  00 

99  3C  89  DO  9A  2F  E5  56 

38 

00  00  00  00  02  00  00  00  00  00 

lA  3F  72  DA  69  4C  9F  C7 

39 

00  00  00  00  01  00  00  00  00  00 

96  59  D5  22  8F4CB1  51 

40 

00  00  00  00  00  80  00  00  00  00 

7C  13  F4  9E  75  OF  5C  30 

41 

00  00  00  00  00  40  00  00  00  00 

35  00  BD  40  7B  CD  01  F6 

42 

00  00  00  00  00  20  00  00  00  00 

85  C5  8E  3C  49  44  20  28 

43 

00  00  00  00  00  10  00  00  00  00 

84  13  84  OA  2D  48  AB  EA 

44 

00  00  00  00  00  08  00  00  00  00 

83  28  50  E6  E5  C4  AE  5A 

45 

00  00  00  00  00  04  00  00  00  00 

29  E9  7F  OD  9F  OF  DC  5F 

46 

00  00  00  00  00  02  00  00  00  00 

2C  45  23  04  37  FF  2E  04 

47 

00  00  00  00  00  01  00  00  00  00 

10  C4  09  FB  87  2A  98  4F 

48 

00  00  00  00  00  00  80  00  00  00 

14  69  3B  30  C3  AF  74  70 

49 

AA  f\n  f\f\  f\n  AA  An  Ar\  f\f\  (\f\  f\f\ 
Uu  UU  UU  UU  UU  UU  41)  uu  uu  uu 

Qi  1A  on  <;n         ra  ro 

50 

00  00  00  00  00  00  20  00  00  00 

5B  FB  OF  83  AB  OC  6E  EA 

51 

00  00  00  00  00  00  10  00  00  00 

6C  OC  A7  28  4D  83  6A  AE 
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ROUND 

KEY 

CIPHERTEXT 

52 

00  00  00  00  00  00  08  00  00  00 

AC  57  27  D6  12  El  85  E8 

53 

00  00  00  00  00  00  04  00  00  00 

38  D7  D5  96  A3  D2  9D  90 

54 

00  00  00  00  00  00  02  00  00  00 

78  BA  DA  D3  BC  43  6C  A2 

55 

00  00  00  00  00  00  01  00  00  00 

E4  05  77  87  41  BO  4B  AO 

56 

00  00  00  00  00  00  00  80  00  00 

72  FF  E4  3D  EA  02  AF  A5 

57 

00  00  00  00  00  00  00  40  00  00 

52  E9  31  DF  24  8C  E4  C7 

58 

00  00  00  00  00  00  00  20  00  00 

4BB1  65  FD  B3  BF  F6  5C 

59 

00  00  00  00  00  00  00  10  00  00 

7C  FA  FA  68  61  D7  B4  7D 

60 

00  00  00  00  00  00  00  08  00  00 

48  Dl  75  52  31  F8  7A  2A 

61 

00  00  00  00  00  00  00  04  00  00 

41  32  07  DA  1C9B  6A  B5 

62 

00  00  00  00  00  00  00  02  00  00 

63  F8  18E9  38  2A27  78 

63 

00  00  00  00  00  00  00  01  00  00 

ED  AF  2B  85  FC  30  EB  09 

64 

00  00  00  00  00  00  00  00  80  00 

1 1  FC  59  93  82  07  63  F7 

65 

00  00  00  00  00  00  00  00  40  00 

E5  39  C3  96  99  15  09  2F 

66 

00  00  00  00  00  00  00  00  20  00 

50  6F  6A  IE  83  4A  D8  F7 

67 

00  00  00  00  00  00  00  00  10  00 

8B  15  BA  30  47  FA  31  95 

68 

00  00  00  00  00  00  00  00  08  00 

13  OB  El  5C39  3E4B7A 

69 

00  00  00  00  00  00  00  00  04  00 

88  95  EC  31  04  CA  10  41 

70 

00  00  00  00  00  00  00  00  02  00 

E4  40  AC  DF  4B  64  C9  C9 

71 

00  00  00  00  00  00  00  00  01  00 

C2  32  80  EB  EO  93  FO  02 

72 

00  00  00  00  00  00  00  00  00  80 

52  64  A6  57  41  FE  78  E3 

73 

00  00  00  00  00  00  00  00  00  40 

80  89  2E  76  85  47  CE61 

74 

00  00  00  00  00  00  00  00  00  20 

09  11  41  2D  72  09  34  75 

75 

00  00  00  00  00  00  00  00  00  10 

9F21  AA76  47  83  E6  49 

76 

00  00  00  00  00  00  00  00  00  08 

4C  A9  FA  BE  AD  2C  02  C6 

77 

00  00  00  00  00  00  00  00  00  04 

59  CE  10  97  3A7B  1FD5 

78 

00  00  00  00  00  00  00  00  00  02 

68  3B  29  34  EO  CC  BE  AA 

79 

00  00  00  00  00  00  00  00  00  01 

74  DO  E7  C2  E3  B4  50  A8 
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